An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public.

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-08
*   Date: 2023-12-06
*   Title: Information Disclosure
*   Severity: low
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Information Disclosure**

Zammad uses the public endpoint /api/v1/signshow for its login screen. This endpoint would return internal configuration data of user object attributes, like selectable values, which should not be visible in public.

Special 🙏 and 🤘 and ❤️ to:

*   N: Trinh Vu
*   C: VNPT Cyber Immunity Center
*   W: https://www.linkedin.com/in/sonicr/

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-08

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50453: Security Advisory ZAA-2023-08 | Zammad

An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-05
*   Date: 2023-12-06
*   Title: Information Disclosure
*   Severity: medium
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Information Disclosure**

When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries they have no permission for.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-05

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50457: Security Advisory ZAA-2023-05 | Zammad

An issue was discovered in Zammad before 6.2.0. An attacker can trigger phishing links in generated notification emails via a crafted first or last name.

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-07
*   Date: 2023-12-06
*   Title: Improper Input Validation
*   Severity: medium
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Improper Input Validation**

Due to insufficient input validation for user data, an attacker could use malicious data as first or last name. This leads to phishing links in the generated notification emails.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-07

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50456: Security Advisory ZAA-2023-07 | Zammad

An issue was discovered in Zammad before 6.2.0. Due to lack of rate limiting in the "email address verification" feature, an attacker could send many requests for a known address to cause Denial Of Service (generation of many emails, which would also spam the victim).

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-06
*   Date: 2023-12-06
*   Title: Denial of Service
*   Severity: low
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Denial of Service**

Due to a missing rate limiting in the 'email address verification' feature of Zammad, an attacker could send many requests for a known address to cause Denial Of Service by many generated emails which would also spam the victim.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-06

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50455: Security Advisory ZAA-2023-06 | Zammad

An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers.

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-04
*   Date: 2023-12-06
*   Title: Improper Certificate Validation
*   Severity: high
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Improper Certificate Validation**

In several subsystems of Zammad, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is a security risk in case an attacker manages to redirect network traffic to another server.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

🚨 Please note that for existing configured external connections such as email, SSL verification _will not be turned on automatically_. Admins need to review all configured connections and turn on SSL verification where applicable (e.g. in case of publicly available services).

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-04

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50454: Security Advisory ZAA-2023-04 | Zammad

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

CVE-2023-5870

JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.

在/common/down/file路由功能下，可以对参数fileKey设计带有恶意性质内容的文件名实现目录穿越，从而下载已知目录内的任意已知文件名，且该行为并不需要进行登录。

    poc:
    Linux:   /../../../../../../../etc/passwd
    Windows:  /../../../../../../../test.txt （test.txt为测试用的在根目录下的文件）

CVE-2023-50449: JFinalCMS存在未授权目录遍历漏洞 · Issue #I7WGC6 · 樱木/JFinalCMS - Gitee.com

An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM.

> _Reviewable_ status: 9 of 14 files reviewed, 3 unresolved discussions (waiting on @Jontified)

_mullvad-paths/src/windows.rs line 146 at r3 (raw file):_

>     // Authenticated users SID https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
>     let (authenticated\_users\_ea, authenticated\_users\_psid) =
>         match create\_explicit\_access("S-1-5-11", GENERIC\_READ) {

This is fine, but it seems like we could have used CreateWellKnownSid(WinAuthenticatedUserSid, ...) and CreateWellKnownSid(WinBuiltinAdministratorsSid, ...) here.

A nice thing about it is that we allocate the memory ourselves, so most of the LocalFrees go away, and we only have to use plain arrays or Vecs. Cleaner, probably?

Though I vaguely recall that this did not work for some reason.

_mullvad-paths/src/windows.rs line 217 at r3 (raw file):_

>     let sid\_wide\_str = get\_wide\_str(sid\_wide\_str);
>     let mut psid = ptr::null\_mut();
>     if 0 == unsafe { ConvertStringSidToSidW(sid\_wide\_str.as\_ptr(), &mut psid) } {

I think we should avoid Yoda conditions, as they're inconsistent with our general code style. The point of these is mainly to prevent accidental assignment, which isn't relevant for if statements in Rust.

CVE-2023-50446: Set permissions on log directory by Jontified · Pull Request #5398 · mullvad/mullvadvpn-app

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.

CVE-2023-6655

A vulnerability classified as critical was found in PHPEMS 6.x/7.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability.

Source

CVE