PT-2024-25423 · Zammad · Zammad
Tyler Wright
·
Published
2024-04-26
·
Updated
2024-07-03
·
CVE-2024-33666
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Zammad versions prior to 6.3.0
Description
An issue allows users with customer access to a ticket to access time accounting details of the ticket via the API, which should be available only to agents.
Recommendations
For versions prior to 6.3.0, update to version 6.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the API for users with customer access to minimize the risk of exploitation.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zammad