Zammad · Zammad · CVE-2024-36078
**Name of the Vulnerable Software and Affected Versions**
Zammad versions prior to 6.3.1
**Description**
A Ruby gem bundled by Zammad is installed with world-writable file permissions, allowing a local attacker on the server to modify the gem's files and inject arbitrary code into Zammad processes. These processes run with the environment and permissions of the Zammad user.
**Recommendations**
For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue. As a temporary workaround, consider restricting write access to the Ruby gem's files to prevent modification by unauthorized users.