Vulnerability Description
Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. This attack appear to be exploitable via the victim openning a ticket. This vulnerability appears to have been fixed in 2.3.1, 2.2.2 and 2.1.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zammad | Zammad | <= 2.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/zammad/zammad/issues/1869Third Party Advisory
- https://zammad.com/news/release-2-4Vendor Advisory
- https://zammad.com/news/security-advisory-zaa-2018-01Vendor Advisory
- https://github.com/zammad/zammad/issues/1869Third Party Advisory
- https://zammad.com/news/release-2-4Vendor Advisory
- https://zammad.com/news/security-advisory-zaa-2018-01Vendor Advisory
FAQ
What is CVE-2018-1000154?
CVE-2018-1000154 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in c...
How severe is CVE-2018-1000154?
CVE-2018-1000154 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000154?
Check the references section above for vendor advisories and patch information. Affected products include: Zammad Zammad.