CVE-2022-40816

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-40816

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-40816.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-40816

Published

2022-09-27T23:15:16.483Z

Modified

2026-03-14T11:54:40.094647Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.

References

https://zammad.com/de/advisories/zaa-2022-09

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type

GIT

Repo

https://github.com/zammad/zammad

Events

Introduced

29bf395d540985d2c78137c50ef48c975398af93

Fixed

80ed32a94d3a7018d40c0695840258c5556223c5

Database specific

{
    "versions": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "5.2.2"
        }
    ]
}

Affected versions

5.*

5.2.0

5.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-40816.json"