Timothy Tjen A Looi

**Name of the Vulnerable Software and Affected Versions** Zammad versions 6.4.0 through 6.4.1 **Description** The issue allows for Server-Side Request Forgery (SSRF) to occur. Authenticated admin users can enable webhooks, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returns a redirect response, it would be followed automatically with another GET request. This could be abused by an attacker to cause GET requests, for example, in the local network. **Recommendations** For Zammad versions 6.4.0 through 6.4.1, update to version 6.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the webhook feature until a patch is available. Restrict access to the webhook configuration to minimize the risk of exploitation. Avoid using the webhook endpoint in the affected Zammad version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zammad versions 6.4.0 through 6.4.1 **Description** The issue concerns client-side enforcement of server-side security in Zammad. Specifically, when users change their two-factor authentication configuration, they are required to re-authenticate with their current password first. However, this security measure is only enforced at the front-end level and not when the API is used directly. **Recommendations** For Zammad versions 6.4.0 through 6.4.1, update to version 6.4.2 to resolve the issue. As a temporary workaround, consider restricting direct API access for users until the update is applied.