Primary

Context

Zammad Incorrect Access Control Vulnerability in Two-Factor Authentication Management

Vulnerability

Patched

A vulnerability exists in Zammad versions 6.4.x prior to 6.4.2, where client-side enforcement of server-side security is inadequate. Users are required to re-authenticate with their current password when changing two-factor authentication settings. However, this requirement is only enforced on the front end and not through the API, allowing potential bypass of the authentication check.

Impact

Exploitation of this vulnerability could lead to incorrect access control, allowing users to change two-factor authentication settings without proper re-authentication when using the API.

Remediation

Users are advised to upgrade to Zammad versions 6.5.0 or 6.4.2. Fixed releases are available on the Zammad website or through the Zammad OS package manager.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zammad Incorrect Access Control Vulnerability in Two-Factor Authentication Management

Vulnerability

Impact

Remediation

Affected Products

Zammad

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating