Lucene search

GoogleOSV:CVE-2022-48023

HistoryFeb 03, 2023 - 1:15 a.m.

CVE-2022-48023

2023-02-0301:15:13

Google

osv.dev

zammad

privilege verification

authenticated attacker

customer ticket

api

v5.3.0

v5.3.1

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.0%

JSON

Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags.

CPENameOperatorVersion
zammadeq5.3.0-alpha
zammadeq1.6.0
zammadeq2.10.0
zammadeq1.6.1
zammadeq3.7.0
zammadeq5.3.0
zammadeq5.2.0-alpha

Name	Operator	Version
zammad	eq	5.3.0-alpha
zammad	eq	1.6.0
zammad	eq	2.10.0
zammad	eq	1.6.1
zammad	eq	3.7.0
zammad	eq	5.3.0
zammad	eq	5.2.0-alpha

References

zammad.com/de/advisories/zaa-2022-12

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.0%

JSON

Related for OSV:CVE-2022-48023