CVE-2024-33668

EUVD-2024-31381
An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
zammadzammad
6.2.0 ≤
𝑥
< 6.3.0
zammadzammad
6.3.0:alpha
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
zammadzammad
6.2.0 ≤
𝑥
< 6.3.0
ADP
Common Weakness Enumeration
References
https://zammad.com/en/advisories/zaa-2024-02
https://zammad.com/en/advisories/zaa-2024-02