CVE-2023-50453

An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
zammadzammad
6.1.0
zammadzammad
6.1.0:alpha
zammadzammad
6.2.0:alpha
𝑥
= Vulnerable software versions
References
https://zammad.com/en/advisories/zaa-2023-08
https://zammad.com/en/advisories/zaa-2023-08