Exposure of Internal Configuration Data in Zammad by Zammad
CVE-2023-50453

5.3MEDIUM

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 10 December 2023

What is CVE-2023-50453?

A security flaw in Zammad prior to version 6.2.0 allows unauthorized access to internal user configuration data through the public API endpoint /api/v1/signshow. This endpoint inadvertently reveals sensitive information about user attributes, making it a potential target for malicious actors aiming to exploit user data and configurations.

References

https://zammad.com/en/advisories/zaa-2023-08

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2023
Vulnerability Reserved
Dec 10, 2023

CVE-2023-50453 Data

JSON