Emil Virkki

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 4.1.1 **Description** An issue was discovered in Zammad, where there is stored XSS via a custom Avatar. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 4.1.1 **Description** An issue allows an admin to discover the application secret via the API. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 4.1.1 **Description** An issue in the Form functionality allows remote code execution due to mishandled deserialization. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 4.1.1 **Description** An issue allows stored XSS to occur via an Article during the addition of an attachment to a Ticket. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 4.1.1 **Description** An issue allows an admin to execute code on the server via a crafted request that manipulates triggers. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to trigger manipulation functionality until a patch is applied.