CVE-2020-10099

Name of the Vulnerable Software and Affected Versions Zammad versions 3.0 through 3.2

Description A cross-site scripting (XSS) issue was discovered, allowing malicious code to be provided by a low-privileged user through the Ticket functionality. The malicious JavaScript will execute within the browser of any user who opens the ticket or has the ticket within the Toolbar.

Recommendations For Zammad versions 3.0 through 3.2, consider disabling the Ticket functionality until a patch is available to prevent the execution of malicious JavaScript code. Restrict access to the Ticket functionality to minimize the risk of exploitation. Avoid using the Ticket functionality in a way that could allow malicious code to be executed within the browser of other users. At the moment, there is no information about a newer version that contains a fix for this vulnerability.