In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user).
{
"versions": [
{
"introduced": "0"
},
{
"last_affected": "6.3.0-NA"
},
{
"introduced": "0"
},
{
"last_affected": "6.3.0-alpha"
}
]
}