Insecure FormIDs in Zammad Upload Cache Could Lead to Malicious Content Upload
CVE-2024-33668

9.1CRITICAL

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 26 April 2024

What is CVE-2024-33668?

A vulnerability has been identified in Zammad prior to version 6.3.0, whereby the Upload Cache utilizes insecure and partially guessable FormIDs for content identification. This flaw enables potential attackers to leverage brute force techniques to upload harmful content into article drafts, thereby compromising the security of the application and potentially affecting users who have no intended access to those drafts.

References

https://zammad.com/en/advisories/zaa-2024-02

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2024
Vulnerability Reserved
Apr 26, 2024

CVE-2024-33668 Data

JSON