CVE-2025-32360

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-32360

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32360.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-32360

Published

2025-04-05T21:15:40.820Z

Modified

2026-03-09T23:51:34.537141Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API.

References

https://zammad.com/en/advisories/zaa-2025-03

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type

GIT

Repo

https://github.com/zammad/zammad

Events

Introduced

1f09f838a2c9e484bb4f47e1abeeca3d763d4e7d

Fixed

b775416be8964f23173fde0c64e2974ab6a1bb74

Database specific

{
    "versions": [
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.2"
        }
    ]
}

Affected versions

6.*

6.4.0

6.4.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32360.json"