Denial of Service Vulnerability in Zammad by Zammad
CVE-2022-35488

7.5HIGH

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 8 August 2022

What is CVE-2022-35488?

In Zammad version 5.2.0, a flaw exists within the 'forgot password' feature that allows attackers to exploit rate limiting mechanisms. By sending multiple rapid requests for password resets to a specific account, an adversary can trigger a Denial of Service condition. This results in an overwhelming volume of emails directed at the victim, effectively spamming them and disrupting normal service operations.

References

https://zammad.com/de/advisories/zaa-2022-05

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2022
Vulnerability Reserved
Jul 11, 2022

CVE-2022-35488 Data

JSON