CRITICAL🇵🇱 Wersja polska

CVE-2025-26846

CVSS 9.8v3.1pub. 2025-05-12upd. 2025-06-13

An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.

🤖 AI Analysis
How it works

The vulnerability results from improper implementation of access control (CWE-862 — missing required authorization) in the Generic Interface component of Znuny. An attacker can send requests to the API without having appropriate permissions and modify ticket metadata. Since the mechanism does not verify the identity or permissions of the caller, operations reserved for authorized users can be performed by unauthorized or unauthenticated persons.

Impact

An attacker can remotely read, modify, and potentially destroy ticket metadata in the helpdesk system without authentication, which may lead to violations of confidentiality, integrity, and availability of data managed by Znuny.

Mitigation & patch

Znuny should be updated to version 7.1.4 or newer. Detailed information about the patch is available in the official security advisory from the vendor at https://www.znuny.org/en/advisories/zsa-2025-02

Who is affected

Znuny in all versions before 7.1.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Znuny

    APP
    Znuny
    6.0.0 – 6.0.486.5.1 – 6.5.117.0.1 – 7.1.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26845CRITICAL9.8PL ✓ten sam produkt

Eval Injection w Znuny umożliwia zdalne wykonanie poleceń

CVE-2025-26844CRITICAL9.8PL ✓ten sam produkt

Znuny: Ciasteczko sesji bez flagi HttpOnly — ryzyko kradzieży sesji

CVE-2024-32491CRITICAL9.8PL ✓ten sam produkt

Path traversal i RCE w Znuny poprzez manipulację żądaniem AJAX

CVE-2025-26842HIGH7.5ten sam produkt

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encr...

CVE-2025-26847HIGH7.5ten sam produkt

An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.