Zammad API Vulnerability Allows Access to Time Accounting Details
CVE-2024-33666

8.6HIGH

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 26 April 2024

What is CVE-2024-33666?

A vulnerability identified in Zammad prior to version 6.3.0 allows users with customer access to certain tickets to obtain sensitive time accounting details through the API. This confidential information, meant solely for agent access, poses a significant risk as it compromises the integrity of customer data handling within the system. Organizations using affected versions are urged to update promptly to mitigate potential exploitation.

References

https://zammad.com/en/advisories/zaa-2024-01

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2024
Vulnerability Reserved
Apr 26, 2024

CVE-2024-33666 Data

JSON