CVE-2022-27331

MEDIUM

Zammad < 5.1.0 - Exposure to Wrong Actor

Title source: rule

Description

An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users.

References (1)

[Patch, Vendor Advisory] https://zammad.com/de/advisories/zaa-2022-02

Scores

CVSS v3 4.3

EPSS 0.0026

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

zammad/zammad < 5.1.0

Timeline

Published Apr 27, 2022

Tracked Since Feb 18, 2026