CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-5620
https://notcve.org/view.php?id=CVE-2017-5620
13 Mar 2017 — An XSS issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing code in the domain of the application. Se ha descubierto un problema de XSS en Zammad en versiones anteriores a 1.0.4, 1.1.x en versiones anteriores a 1.1.3 y 1.2.x en versiones anteriores a 1.2.1. Los archivos adjuntos se abren en una nueva pestaña en lugar de descargarse. • http://www.securityfocus.com/bid/96937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6081
https://notcve.org/view.php?id=CVE-2017-6081
13 Mar 2017 — A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie. Se ha descubierto un problema de CSRF en Zammad en versiones anteriores a 1.0.4, 1.1.x en versiones anteriores a 1.1.3 y 1.2.x en versiones anteriores a 1.2.1. Para explotar esta vulnerabilidad, un atacante puede enviar peticiones entre dominios directamente a la API REST para u... • http://www.securityfocus.com/bid/96937 • CWE-352: Cross-Site Request Forgery (CSRF) •