PT-2022-12252 · Zammad · Zammad
Heiko Stämmler
·
Published
2022-02-04
·
Updated
2023-08-08
·
CVE-2021-44886
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Zammad version 5.0.2
Description
The issue allows agents to configure "out of office" periods and substitute persons. If the substitute persons do not have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to.
Recommendations
For Zammad version 5.0.2, ensure that substitute persons have the same permissions as the original agent to prevent unauthorized access to ticket notifications. As a temporary workaround, consider restricting access to ticket notifications for substitute persons until a proper permission alignment can be established.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Zammad