Zammad · Zammad · CVE-2021-44886
**Name of the Vulnerable Software and Affected Versions**
Zammad version 5.0.2
**Description**
The issue allows agents to configure "out of office" periods and substitute persons. If the substitute persons do not have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to.
**Recommendations**
For Zammad version 5.0.2, ensure that substitute persons have the same permissions as the original agent to prevent unauthorized access to ticket notifications. As a temporary workaround, consider restricting access to ticket notifications for substitute persons until a proper permission alignment can be established.