An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
The vulnerability results from improper implementation of access control (CWE-862 — missing required authorization) in the Generic Interface component of Znuny. An attacker can send requests to the API without having appropriate permissions and modify ticket metadata. Since the mechanism does not verify the identity or permissions of the caller, operations reserved for authorized users can be performed by unauthorized or unauthenticated persons.
An attacker can remotely read, modify, and potentially destroy ticket metadata in the helpdesk system without authentication, which may lead to violations of confidentiality, integrity, and availability of data managed by Znuny.
Znuny should be updated to version 7.1.4 or newer. Detailed information about the patch is available in the official security advisory from the vendor at https://www.znuny.org/en/advisories/zsa-2025-02
Znuny in all versions before 7.1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZnuny
APPZnuny6.0.0 – 6.0.486.5.1 – 6.5.117.0.1 – 7.1.3
Related vulnerabilities
Eval Injection w Znuny umożliwia zdalne wykonanie poleceń
Znuny: Ciasteczko sesji bez flagi HttpOnly — ryzyko kradzieży sesji
Path traversal i RCE w Znuny poprzez manipulację żądaniem AJAX
An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encr...
An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.