CVE-2025-32358

CVSS 4 MEDIUMEPSS 0.2%CWE-918

In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This could be abused by an attacker to cause GET requests for example in the local network.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Produtos afetados

Zammad · Zammad

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://zammad.com/en/advisories/zaa-2025-01