Incorrect Access Control in Zammad by Zammad GmbH
CVE-2022-35487

7.5HIGH

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 8 August 2022

What is CVE-2022-35487?

Zammad version 5.2.0 is affected by an Incorrect Access Control vulnerability that allows unauthorized users to access sensitive attachments, such as email correspondence and other files. The flaw arises from a failure to properly enforce authorization checks on specific attachment endpoints, potentially enabling unauthenticated attackers to exploit this weakness. This issue poses a serious risk as it could lead to unintended exposure of confidential information hosted on the platform.

References

https://zammad.com/de/advisories/zaa-2022-08

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2022
Vulnerability Reserved
Jul 11, 2022

CVE-2022-35487 Data

JSON