CVE-2023-50455

An issue was discovered in Zammad before 6.2.0. Due to lack of rate limiting in the "email address verification" feature, an attacker could send many requests for a known address to cause Denial Of Service (generation of many emails, which would also spam the victim).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://zammad.com/en/advisories/zaa-2023-06	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zammad:zammad:6.1.0:-::::::
	cpe:2.3:a:zammad:zammad:6.1.0:alpha::::::
	cpe:2.3:a:zammad:zammad:6.2.0:alpha::::::

History

13 Dec 2023, 18:03

Type	Values Removed	Values Added
References	~~() https://zammad.com/en/advisories/zaa-2023-06 -~~	() https://zammad.com/en/advisories/zaa-2023-06 - Vendor Advisory
CPE		cpe:2.3:a:zammad:zammad:6.1.0:alpha:::::: cpe:2.3:a:zammad:zammad:6.1.0:-:::::: cpe:2.3:a:zammad:zammad:6.2.0:alpha::::::
CWE		CWE-770
First Time		Zammad zammad Zammad
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

11 Dec 2023, 12:20

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Zammad antes de la versión 6.2.0. Debido a la falta de limitación de velocidad en la función "verificación de dirección de correo electrónico", un atacante podría enviar muchas solicitudes a una dirección conocida para provocar una denegación de servicio (generación de muchos correos electrónicos, que también enviarían spam a la víctima).

10 Dec 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-10 19:15

Updated : 2023-12-13 18:03

NVD link : CVE-2023-50455

Mitre link : CVE-2023-50455

CVE.ORG link : CVE-2023-50455

JSON object : View

Products Affected

zammad

zammad

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10