Debian Znuny vulnerabilities

21 known vulnerabilities affecting debian/znuny.

Total CVEs
21
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH5MEDIUM9LOW2UNKNOWN1

Vulnerabilities

Page 1 of 2
CVE-2025-26846CRITICALCVSS 9.8fixed in znuny 6.5.13-1 (forky)2025
CVE-2025-26846 [CRITICAL] CVE-2025-26846: znuny - An issue was discovered in Znuny before 7.1.4. Permissions are not checked prope... An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata. Scope: local bookworm: open forky: resolved (fixed in 6.5.13-1) sid: resolved (fixed in 6.5.13-1) trixie: resolved (fixed in 6.5.13-1)
debian
CVE-2025-26844CRITICALCVSS 9.8fixed in znuny 6.5.13-1 (forky)2025
CVE-2025-26844 [CRITICAL] CVE-2025-26844: znuny - An issue was discovered in Znuny through 7.1.3. A cookie is set without the Http... An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag. Scope: local bookworm: open forky: resolved (fixed in 6.5.13-1) sid: resolved (fixed in 6.5.13-1) trixie: resolved (fixed in 6.5.13-1)
debian
CVE-2025-26845CRITICALCVSS 9.8fixed in znuny 6.5.13-1 (forky)2025
CVE-2025-26845 [CRITICAL] CVE-2025-26845: znuny - An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write... An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script. Scope: local bookworm: open forky: resolved (fixed in 6.5.13-1) sid: resolved (fixed in 6.5.13-1) trixie: resolved (fixed in 6.5.13-1)
debian
CVE-2025-26842HIGHCVSS 7.5fixed in znuny 6.5.13-1 (forky)2025
CVE-2025-26842 [HIGH] CVE-2025-26842: znuny - An issue was discovered in Znuny through 7.1.3. If access to a ticket is not giv... An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog. Scope: local bookworm: open forky: resolved (fixed in 6.5.13-1) sid: resolved (fixed in 6.5.13-1) trixie: resolved (fixed in 6.5.13-1)
debian
CVE-2025-26847HIGHCVSS 7.5fixed in znuny 6.5.15-2 (forky)2025
CVE-2025-26847 [HIGH] CVE-2025-26847: znuny - An issue was discovered in Znuny before 7.1.5. When generating a support bundle,... An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked. Scope: local bookworm: open forky: resolved (fixed in 6.5.15-2) sid: resolved (fixed in 6.5.15-2) trixie: resolved (fixed in 6.5.15-2)
debian
CVE-2025-3573MEDIUMCVSS 5.3fixed in kalkun 0.8.3.2-1 (forky)2025
CVE-2025-3573 [MEDIUM] CVE-2025-3573: civicrm - Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-... Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary. Scope: local bullseye: open
debian
CVE-2025-43926MEDIUMCVSS 6.1fixed in znuny 6.5.15-2 (forky)2025
CVE-2025-43926 [MEDIUM] CVE-2025-43926: znuny - An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJ... An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permi
debian
CVE-2025-52204MEDIUMCVSS 6.1fixed in znuny 6.5.19-1 (forky)2025
CVE-2025-52204 [MEDIUM] CVE-2025-52204: znuny - A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the cu... A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter Scope: local bookworm: open forky: resolved (fixed in 6.5.19-1) sid: resolved (fixed in 6.5.19-1) trixie: open
debian
CVE-2025-59490UNKNOWNfixed in znuny 6.5.19-1 (forky)2025
CVE-2025-59490 CVE-2025-59490: znuny bookworm: open forky: resolved (fixed in 6.5.19-1) sid: resolved (fixed in 6.5.19-1) trixie: open
debian
CVE-2024-32491CRITICALCVSS 9.8fixed in znuny 6.5.8-1 (forky)2024
CVE-2024-32491 [CRITICAL] CVE-2024-32491: znuny - An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.... An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server. Scope: local bookworm: open forky: resolved
debian
CVE-2024-32493HIGHCVSS 8.8fixed in znuny 6.5.8-1 (forky)2024
CVE-2024-32493 [HIGH] CVE-2024-32493: znuny - An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through... An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request. Scope: local bookworm: open forky: resolved (fixed in 6.5.8-1) sid: resolved (fixed in 6.5.8-1) trixie: resolved (fixed in 6.5.8-1)
debian
CVE-2024-48938HIGHCVSS 7.5fixed in znuny 6.5.11-1 (forky)2024
CVE-2024-48938 [HIGH] CVE-2024-48938: znuny - Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos ... Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process. Scope: local bookworm: open forky: resolved (fixed in 6.5.11-1) sid: resolved (fixed in 6.5.11-1) trixie: resolved (fixed in 6.5.11-1)
debian
CVE-2024-48937MEDIUMCVSS 6.1fixed in znuny 6.5.11-1 (forky)2024
CVE-2024-48937 [MEDIUM] CVE-2024-48937: znuny - Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaS... Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed. Scope: local bookworm: open forky: resolved (fixed in 6.5.11-1) sid: resolved (fixed in 6.5.11-1) trixie: resolved (fixed in 6.5.11-1)
debian
CVE-2024-32492LOWCVSS 7.12024
CVE-2024-32492 [HIGH] CVE-2024-32492: znuny - An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail vi... An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript. Scope: local bookworm: resolved forky: resolved sid: resolved trixie: resolved
debian
CVE-2023-38060MEDIUMCVSS 6.3fixed in znuny 6.5.3-1 (forky)2023
CVE-2023-38060 [MEDIUM] CVE-2023-38060: otrs2 - Improper Input Validation vulnerability in the ContentType parameter for attachm... Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS
debian
CVE-2022-4427MEDIUMCVSS 6.5fixed in znuny 6.4.5-1 (bookworm)2022
CVE-2022-4427 [MEDIUM] CVE-2022-4427: otrs2 - Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Commun... Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Scope: local bullseye: open
debian
CVE-2021-21441HIGHCVSS 7.5fixed in otrs2 6.0.32-5 (bullseye)2021
CVE-2021-21441 [HIGH] CVE-2021-21441: otrs2 - There is a XSS vulnerability in the ticket overview screens. It's possible to co... There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. O
debian
CVE-2021-21440MEDIUMCVSS 5.2fixed in otrs2 6.0.32-6 (bullseye)2021
CVE-2021-21440 [MEDIUM] CVE-2021-21440: otrs2 - Generated Support Bundles contains private S/MIME and PGP keys if containing fol... Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. Scope: local bullseye: resolved (fixed in 6.0.32-6)
debian
CVE-2021-21439MEDIUMCVSS 6.5fixed in otrs2 6.0.32-5 (bullseye)2021
CVE-2021-21439 [MEDIUM] CVE-2021-21439: otrs2 - DoS attack can be performed when an email contains specially designed URL in the... DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0
debian
CVE-2021-36100MEDIUMCVSS 6.42021
CVE-2021-36100 [MEDIUM] CVE-2021-36100: otrs2 - Specially crafted string in OTRS system configuration can allow the execution of... Specially crafted string in OTRS system configuration can allow the execution of any system command. Scope: local bullseye: open
debian
1 / 2Next →