CVE-2022-35490

Published: Aug 8, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Zammad 5.2.0 is vulnerable to privilege escalation. Zammad has a prevention against brute-force attacks trying to guess login credentials. After a configurable amount of attempts, users are invalidated and logins prevented. An attacker might work around this prevention, enabling them to send more than the configured amount of requests before the user invalidation takes place.

Affected (2)

Products: Zammad: Zammad

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Zammad Zammad	Version 5.2.0
Zammad Zammad	Version 5.2.0 alpha

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (2)

https://zammad.com/de/advisories/zaa-2022-07

Source: cve@mitre.org

Vendor Advisory

https://zammad.com/de/advisories/zaa-2022-07

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.