Design/Logic Flaw

2017-03-1306:59:00

PRIOn knowledge base

www.prio-n.com

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result.

CPENameOperatorVersion
zammadeq1.1.0
zammadeq1.1.1
zammadeq1.2.0
zammadle1.0.3
zammadeq1.1.2

Name	Operator	Version
zammad	eq	1.1.0
zammad	eq	1.1.1
zammad	eq	1.2.0
zammad	le	1.0.3
zammad	eq	1.1.2

References

www.securityfocus.com/bid/96937

zammad.com/de/news/security-advisory-zaa-2017-01