CVE-2020-26032
https://notcve.org/view.php?id=CVE-2020-26032
An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. Se detectó un problema de SSRF en Zammad versiones anteriores a 3.4.1. • https://zammad.com/news/security-advisory-zaa-2020-15 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2020-26033
https://notcve.org/view.php?id=CVE-2020-26033
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check. Se detectó un problema en Zammad versiones anteriores a 3.4.1. Los endpoints de la API REST de Etiqueta y Enlace (para agregar y eliminar) carecen de una comprobación de token CSRF • https://zammad.com/news/security-advisory-zaa-2020-17 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-26034
https://notcve.org/view.php?id=CVE-2020-26034
An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user. Se detectó un problema de enumeración de cuentas en Zammad versiones anteriores a 3.4.1. La funcionalidad Create User es implementada de una manera que permitiría a un usuario anónimo adivinar direcciones de correo electrónico de usuario válidas. • https://zammad.com/news/security-advisory-zaa-2020-14 •
CVE-2020-26035
https://notcve.org/view.php?id=CVE-2020-26035
An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket. Se detectó un problema en Zammad versiones anteriores a 3.4.1. Se presenta una vulnerabilidad de tipo XSS almacenado por medio de un elemento Tags en un Ticket • https://zammad.com/news/security-advisory-zaa-2020-21 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-29158
https://notcve.org/view.php?id=CVE-2020-29158
An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view. Se detectó un problema en Zammad versiones anteriores a 3.5.1. Un Agente con permisos de Cliente en un Grupo puede omitir un control de acceso previsto en los Artículos internos por medio de la vista de detalles del Ticket • https://github.com/zammad/zammad/commit/cf5a5e396058d4b134dd33d0a62b11c1733c98ab https://zammad.com/en/advisories/zaa-2020-23 • CWE-862: Missing Authorization •