CVE-2020-10100

Name of the Vulnerable Software and Affected Versions Zammad versions 3.0 through 3.2

Description An issue in the application allows users to view ticket customer details associated with specific customers due to improper implementation of access controls. This enables users of one company to access ticket data from other companies, potentially leading to the exfiltration of sensitive data. The multi-tenant nature of the application exacerbates this issue, as users can access ticket details from one organization to the next.

Recommendations For Zammad versions 3.0 through 3.2, consider restricting access to ticket customer details to prevent users from accessing data from other companies until a proper fix is implemented. As a temporary workaround, limit the functionality that allows users to view ticket customer details associated with specific customers.