A vulnerability, which was classified as problematic, has been found in Zammad 3.0/3.1/3.2. This issue affects an unknown functionality of the component Email Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. Impacted is integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors. The summary by CVE is:

An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code can be provided by a low-privileged user through the Email functionality. The malicious JavaScript will execute within the browser of any user who opens the Ticket with the Article created from that Email.

The weakness was released 03/05/2020. The identification of this vulnerability is CVE-2020-10098 since 03/05/2020. The attack may be initiated remotely. The successful exploitation needs a simple authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 150855, 150854, 150853 and 150852.

Productinfoedit

Name

• Zammad

CPE 2.3infoedit

• 🔒
• 🔒
• 🔒

CPE 2.2infoedit

• 🔒
• 🔒
• 🔒

CVSSv3infoedit

CVSSv2infoedit

Exploitinginfoedit

Threat Intelligenceinfoedit

Countermeasuresinfoedit

Timelineinfoedit

Sourcesinfoedit

Entryinfoedit

Comments