CVE-2017-5619

CRITICAL

Zammad < 1.0.3 - Authentication Bypass

Title source: rule

Description

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attackers can login with the hashed password itself (e.g., from the DB) instead of the valid password string.

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96937

[Vendor Advisory] https://zammad.com/de/news/security-advisory-zaa-2017-01

Scores

CVSS v3 9.8

EPSS 0.0044

EPSS Percentile 63.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-287

Status draft

Affected Products (5)

zammad/zammad < 1.0.3

zammad/zammad

Timeline

Published Mar 13, 2017

Tracked Since Feb 18, 2026