PT-2021-20880 · Zammad · Zammad

N: Chung

Published

2021-06-28

Updated

2021-07-02

CVE-2021-35303

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Zammad versions 1.0.x through 4.0.0

Description: The issue allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute, enabling Cross Site Scripting (XSS) attacks. This can lead to the execution of malicious scripts on the victim's browser.

Recommendations: For versions 1.0.x through 4.0.0, update to a version later than 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the User Avatar attribute to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-35303

Affected Products

Zammad

PT-2021-20880 · Zammad · Zammad

CVE-2021-35303

Weakness Enumeration

Related Identifiers

Affected Products

References · 5