An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
The HttpOnly flag in the HTTP cookie header prevents client-side scripts (e.g., JavaScript) from accessing its value. When this flag is not set, an attacker can exploit an XSS vulnerability or other script execution mechanism in the victim's browser to read the cookie value and hijack the logged-in user's session. The absence of this flag is classified as CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag).
An attacker can steal the victim's session cookie and take over their authenticated session in the application, gaining access to data and functions with the privileges of the attacked user.
Apply patches available from the vendor according to the references (https://www.znuny.org/en/advisories/zsa-2025-05). It is recommended to update to a version higher than 7.1.3.
Znuny in versions up to and including 7.1.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZnuny
APPZnuny≤ 7.1.3
Related vulnerabilities
Brak weryfikacji uprawnień w Generic Interface systemu Znuny (eskalacja uprawnień)
Eval Injection w Znuny umożliwia zdalne wykonanie poleceń
Path traversal i RCE w Znuny poprzez manipulację żądaniem AJAX
An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encr...
An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.