How the CVE Works:
CVE-2025-32360 exposes sensitive draft data in Zammad 6.4.x due to improper access controls. Authenticated customers can view shared draft details intended only for agents via browser console logs. The flaw also permits unauthorized API manipulation of these drafts, risking data leaks or tampering. The vulnerability stems from insufficient client-side validation and server-side permission checks, allowing unintended access to confidential ticket drafts.
DailyCVE Form:
Platform: Zammad
Version: 6.4.x (<6.4.2)
Vulnerability: Information Exposure
Severity: Medium
Date: 04/05/2025
What Undercode Say:
Analytics:
- Impact: Confidentiality compromise, data integrity bypass.
- Attack Vector: Authenticated low-privilege user.
- Exploitability: Low complexity, no user interaction.
Exploit Commands:
1. Browser console inspection:
console.log(JSON.parse(localStorage.getItem('sharedDrafts')));
2. API tampering (curl):
curl -X PATCH -H "Authorization: Bearer <CUSTOMER_TOKEN>" -d '{"content":"malicious"}' https://<zammad>/api/v1/ticket_drafts/<ID>
Mitigation Commands:
1. Upgrade Zammad:
sudo apt update && sudo apt install zammad=6.4.2
2. Patch validation (check version):
dpkg -l | grep zammad
Protection Code:
1. Server-side middleware (Ruby example):
before_action :validate_agent_role, only: [:drafts] def validate_agent_role render_403 unless current_user.agent? end
2. Client-side sanitization (JavaScript):
if (user.role !== 'agent') {
delete window.sharedDrafts;
}
Log Monitoring:
grep -E 'PUT|PATCH|DELETE' /var/log/zammad/api.log | grep -v 'agent'
References:
- Patch: Zammad 6.4.2 Changelog
- CVE Details: MITRE Entry
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
