Improper Access Control in Zammad 5.2.1 Allows Unauthorized Ticket Modifications

Improper Access Control in Zammad 5.2.1 Allows Unauthorized Ticket Modifications

CVE-2022-40817 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Zammad 5.2.1 has a fine-grained permission model that allows to configure read-only access to tickets. However, agents were still wrongly able to perform some operations on such tickets, like adding and removing links, tags. and related answers. This issue has been fixed in 5.2.2.

Learn more about our Web Application Penetration Testing UK.