Arbitrary Code Execution via User Avatar Attribute in Zammad 1.0.x up to 4.0.0

Arbitrary Code Execution via User Avatar Attribute in Zammad 1.0.x up to 4.0.0

CVE-2021-35303 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.

Learn more about our Web App Pen Testing.