CVE-2025-43926 — Cross-site Scripting in Znuny

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 56.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Znuny Debian Znuny

Timeline

PublishedMay 8

Description

An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/znuny< znuny 6.5.15-2 (forky)

▶Debianznuny/znuny< 6.5.15-2+1

▶NVDznuny/znuny7.0.1 — 7.1.6+1

🔴Vulnerability Details

GHSA

GHSA-6mp7-r3w8-3vrm: An issue was discovered in Znuny through 6↗2025-05-08

▶

OSV

CVE-2025-43926: An issue was discovered in Znuny through 6↗2025-05-08

▶

📋Vendor Advisories

Debian

CVE-2025-43926: znuny - An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJ...↗2025

▶