CVE-2021-35301
https://notcve.org/view.php?id=CVE-2021-35301
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view. Un Control de Acceso Incorrecto en Zammad versiones 1.0.x hasta 4.0.0, permite a atacantes remotos obtener información confidencial por medio de la visualización de detalles Ticket Article • https://zammad.com/en/advisories/zaa-2021-05 •
CVE-2021-35302
https://notcve.org/view.php?id=CVE-2021-35302
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information. Un Control de Acceso Incorrecto para los Tickets vinculados en Zammad versiones 1.0.x hasta 4.0.0, permite a atacantes remotos obtener información confidencial • https://zammad.com/en/advisories/zaa-2021-04 •
CVE-2021-35303
https://notcve.org/view.php?id=CVE-2021-35303
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Zammad versiones 1.0.x hasta 4.0.0, permite a atacantes remotos ejecutar un script web o HTML arbitrario por medio del atributo User Avatar • https://zammad.com/en/advisories/zaa-2021-06 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-26028
https://notcve.org/view.php?id=CVE-2020-26028
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets. Se detectó un problema en Zammad versiones anteriores a 3.4.1. Los Usuarios Administradores sin un permiso ticket.* pueden acceder a Tickets • https://zammad.com/news/security-advisory-zaa-2020-19 • CWE-863: Incorrect Authorization •
CVE-2020-26029
https://notcve.org/view.php?id=CVE-2020-26029
An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header. Se detectó un problema en Zammad versiones anteriores a 3.4.1. Se presentan unas comprobaciones de autorización incorrectas para peticiones de suplantación de identidad por medio de X-On-Behalf-Of. • https://zammad.com/news/security-advisory-zaa-2020-20 • CWE-863: Incorrect Authorization •