Primary

Context

Zammad Information Exposure Vulnerability Allowing Customers to Access and Manipulate Shared Drafts

Vulnerability

Patched

An information exposure vulnerability exists in Zammad versions 6.4.x prior to 6.4.2. This issue allows logged-in customers to view details of shared article drafts related to their customer tickets through the browser console. These drafts, which are meant to be accessible only to agents, may contain confidential information. Additionally, customers could manipulate these drafts via the API.

Impact

Exploitation of this vulnerability could lead to unauthorized access to confidential information contained in shared article drafts, as well as the ability to manipulate these drafts through the API.

Remediation

Users are advised to upgrade to Zammad version 6.5.0 or 6.4.2. Fixed releases are available on the Zammad website, Zammad FTP, or through the OS package manager.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zammad Information Exposure Vulnerability Allowing Customers to Access and Manipulate Shared Drafts

Vulnerability

Impact

Remediation

Affected Products

Zammad

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating