Znuny

znuny

Vendor: Znuny • 11 CVEs

CVEs (11)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-26846 1Znuny 1Znuny Jun 13, 2025 May 12, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
CVE-2025-26847 1Znuny 1Znuny May 16, 2025 May 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
CVE-2025-26845 1Znuny 1Znuny May 16, 2025 May 8, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
CVE-2025-43926 1Znuny 1Znuny Jun 12, 2025 May 8, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via G...Show more An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.Show less
CVE-2025-26844 1Znuny 1Znuny Jun 12, 2025 May 8, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
CVE-2025-26842 1Znuny 1Znuny Jun 12, 2025 May 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.
CVE-2024-48938 1Znuny 1Znuny Mar 14, 2025 Oct 11, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing pr...Show more Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.Show less
CVE-2024-48937 1Znuny 1Znuny Mar 13, 2025 Oct 11, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.
CVE-2024-32493 1Znuny 1Znuny Sep 2, 2025 Apr 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request.
CVE-2024-32492 1Znuny 1Znuny Sep 2, 2025 Apr 29, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript.
CVE-2024-32491 1Znuny 1Znuny Sep 2, 2025 Apr 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing...Show more An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.Show less