Knowledge Base Access Flaw in Zammad by Zammad Inc.
CVE-2025-32357

4.3MEDIUM

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 5 April 2025

What is CVE-2025-32357?

In Zammad versions prior to 6.4.2, an authenticated agent with permissions for the knowledge base was able to exploit the Zammad API to access knowledge base contents that they were not authorized to view. This vulnerability could lead to unauthorized disclosure of sensitive information, emphasizing the need for stricter access control measures and proper validation of user permissions within the application.

Affected Version(s)

Zammad 6.4 < 6.4.2

References

https://zammad.com/en/advisories/zaa-2025-04

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2025
Vulnerability Reserved
Apr 5, 2025

CVE-2025-32357 Data

JSON