CVE-2020-14214

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 3.3.1

Description The issue relies on a claimed e-mail address for authorization decisions when Domain Based Assignment is enabled. An attacker can register a new account to gain access to all tickets of an arbitrary Organization.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the Domain Based Assignment feature until a patch is available. Restrict access to sensitive tickets and organizations to minimize the risk of exploitation.