CVE-2025-43926

Medium CVSS: 6.1

An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.

Vendor

Znuny

Product

Znuny

CWE

CWE-79

Yayın Tarihi

2025-05-08 16:15:26

Güncelleme

2025-06-12 16:44:04

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Znuny MEDIUM Znuny 2025

Referanslar

https://www.znuny.org/en/advisories/zsa-2025-07 https://znuny.com

Benzer Kayıtlar

Critical

CVE-2025-26846

An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to…

Critical

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can us…

High

CVE-2025-26847

An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.

High

CVE-2025-26842

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-ma…

Critical

CVE-2025-26844

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.