CVE-2020-10102

Name of the Vulnerable Software and Affected Versions Zammad versions 3.0 through 3.2

Description An issue was discovered in the Forgot Password functionality, which is implemented in a way that enables an anonymous user to guess valid user emails. The application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.

Recommendations For Zammad versions 3.0 through 3.2, consider disabling the Forgot Password functionality until a patch is available to prevent potential brute force attacks. Restrict access to the Forgot Password feature to minimize the risk of exploitation. Avoid using the Forgot Password feature with accounts that have common or weak passwords until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.