VulnerableCode Package Details - pkg:deb/debian/znuny@6.5.15-2~bpo12%2B1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1g4b-vbh5-abd1	An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.	CVE-2025-26846
VCID-21pk-e54u-wbaj	An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request.	CVE-2024-32493
VCID-5je9-4uyv-xfgk	An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.	CVE-2025-26847
VCID-6bn2-cftr-wye3	An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.	CVE-2025-43926
VCID-apr8-aeke-nbdr	Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.	CVE-2023-38060
VCID-q71k-mgt1-uqch	An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.	CVE-2024-32491
VCID-r2b7-thas-1ugx	An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.	CVE-2025-26845
VCID-u2x1-86g4-rkgh	An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.	CVE-2025-26842
VCID-vx1p-8fb3-rbfs	Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.	CVE-2024-48937
VCID-xehp-7egv-nuan	Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.	CVE-2024-48938
VCID-zkky-d94s-zuas	An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.	CVE-2025-26844

Vulnerability

Summary

Aliases

VCID-1g4b-vbh5-abd1

An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.

CVE-2025-26846

VCID-21pk-e54u-wbaj

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request.

CVE-2024-32493

VCID-5je9-4uyv-xfgk

An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.

CVE-2025-26847

VCID-6bn2-cftr-wye3

An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.

CVE-2025-43926

VCID-apr8-aeke-nbdr

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVE-2023-38060

VCID-q71k-mgt1-uqch

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.

CVE-2024-32491

VCID-r2b7-thas-1ugx

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.

CVE-2025-26845

VCID-u2x1-86g4-rkgh

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.

CVE-2025-26842

VCID-vx1p-8fb3-rbfs

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.

CVE-2024-48937

VCID-xehp-7egv-nuan

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.

CVE-2024-48938

VCID-zkky-d94s-zuas

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

CVE-2025-26844

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T16:16:32.238087+00:00	Debian Importer	Fixing	VCID-xehp-7egv-nuan	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:56:11.484021+00:00	Debian Importer	Fixing	VCID-21pk-e54u-wbaj	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:54:03.227995+00:00	Debian Importer	Fixing	VCID-5je9-4uyv-xfgk	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:44:22.945454+00:00	Debian Importer	Fixing	VCID-q71k-mgt1-uqch	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:43:51.655698+00:00	Debian Importer	Fixing	VCID-1g4b-vbh5-abd1	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:43:24.884174+00:00	Debian Importer	Fixing	VCID-u2x1-86g4-rkgh	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:31:30.386777+00:00	Debian Importer	Fixing	VCID-zkky-d94s-zuas	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:28:06.798498+00:00	Debian Importer	Fixing	VCID-vx1p-8fb3-rbfs	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:24:07.144586+00:00	Debian Importer	Fixing	VCID-r2b7-thas-1ugx	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:22:56.671678+00:00	Debian Importer	Fixing	VCID-apr8-aeke-nbdr	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:13:15.027491+00:00	Debian Importer	Fixing	VCID-6bn2-cftr-wye3	https://security-tracker.debian.org/tracker/data/json	36.1.3