CVE-2022-40816

Name of the Vulnerable Software and Affected Versions Zammad version 5.2.1

Description The issue concerns Incorrect Access Control in Zammad's asset handling mechanism. This mechanism is designed to prevent customer users from accessing personal information of other users. However, the logic was ineffective when used through a web socket connection, allowing a logged-in attacker to fetch personal data of other users by querying the Zammad API.

Recommendations For Zammad version 5.2.1, update to version 5.2.2 to resolve the issue. As a temporary workaround, consider restricting access to the Zammad API to minimize the risk of exploitation.