CVE-2018-1000154
Last modified
CVE-2018-1000154 is a vulnerability of currently unknown severity. Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. EPSS estimates a 1.60% chance of exploitation in the next 30 days.
Description
Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. This attack appear to be exploitable via the victim openning a ticket. This vulnerability appears to have been fixed in 2.3.1, 2.2.2 and 2.1.3.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zammad | Zammad | <= 2.3.0 |
References
- https://github.com/zammad/zammad/issues/1869Third Party Advisory
- https://zammad.com/news/release-2-4Vendor Advisory
- https://zammad.com/news/security-advisory-zaa-2018-01Vendor Advisory
- https://github.com/zammad/zammad/issues/1869Third Party Advisory
- https://zammad.com/news/release-2-4Vendor Advisory
- https://zammad.com/news/security-advisory-zaa-2018-01Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1000154?
How severe is CVE-2018-1000154?
How do I fix CVE-2018-1000154?
Are you affected by CVE-2018-1000154?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST