CVE-2025-32360

Name of the Vulnerable Software and Affected Versions Zammad versions 6.4.0 through 6.4.1

Description The issue concerns information exposure where logged-in customers can see details about shared article drafts for their customer tickets in the browser console, potentially containing confidential information. Additionally, customers can manipulate these drafts via API. This exposure is unintended, as only agents should have access to such information.

Recommendations For Zammad versions 6.4.0 through 6.4.1, update to version 6.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoints related to shared article drafts to prevent manipulation by unauthorized users.