CVE-2020-10100

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-10100

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10100.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-10100

Published

2020-03-05T01:15:11.303Z

Modified

2026-03-14T09:47:59.955714Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Zammad 3.0 through 3.2. It allows for users to view ticket customer details associated with specific customers. However, the application does not properly implement access controls related to this functionality. As such, users of one company are able to access ticket data from other companies. Due to the multi-tenant nature of this application, users who can access ticket details from one organization to the next allows for users to exfiltrate potentially sensitive data of other companies.

References

https://zammad.com/news/security-advisory-zaa-2020-05

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type

GIT

Repo

https://github.com/zammad/zammad

Events

Introduced

9bdf6d7b816d4e55501e13d12dc0d9b53cf16f5c

Last affected

e0ff35cb1492d1fd09f971ead0426ea6acbbef30

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "3.2.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10100.json"