CVE-2020-26034

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 3.4.1

Description An account-enumeration issue was discovered in the Create User functionality, allowing an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user.

Recommendations For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Create User functionality to minimize the risk of exploitation.