CVE-2025-32360

Medium CVSS: 4.2

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API.

Vendor

Zammad

Product

Zammad

CWE

CWE-402

Yayın Tarihi

2025-04-05 21:15:40

Güncelleme

2025-04-15 15:25:12

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-402 Zammad MEDIUM Zammad 2025

Referanslar

https://zammad.com/en/advisories/zaa-2025-03

Benzer Kayıtlar

Medium

CVE-2025-32358

In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are trigger…

Medium

CVE-2025-32359

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor a…

Medium

CVE-2025-32357

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to f…