An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user.
View Full Alert
Related Posts
CVE-2020-26028 (zammad)An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets. View Full Alert
CVE-2020-26033 (zammad)An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check. View Full Alert
CVE-2020-26031 (zammad)An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions). View Full Alert
