CVE-2024-33668

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-33668

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-33668.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-33668

Published

2024-04-26T01:15:46.320Z

Modified

2026-04-10T05:12:41.599937Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.

References

https://zammad.com/en/advisories/zaa-2024-02

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type

GIT

Repo

https://github.com/zammad/zammad

Events

Introduced

6c358ca90cf7f7581aede5c45d10ac3f2e25bc52

Fixed

1e2f95d33f1ab16fd0d447b409e8c409c747c3c9

Introduced

Last affected

a6152567d3d965ce9f9aaef42d60c5d54003075c

Database specific

{
    "versions": [
        {
            "introduced": "6.2.0"
        },
        {
            "fixed": "6.3.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.3.0-alpha"
        }
    ]
}

Affected versions

1.*

1.6.0

3.*

3.7.0

5.*

5.2.0-alpha

5.3.0-alpha

5.4.0-alpha

5.5.0-alpha

6.*

6.0.0-alpha

6.1.0-alpha

6.2.0-alpha

6.3.0-alpha

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-33668.json"