CVE-2025-32359 MEDIUM

CVE-2025-32359

Vendor Zammad
Product Zammad
Weakness CWE-602 · Client-side enforcement
Published April 5, 2025
Last update April 7, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not when using the API directly.

Key dates

02Disclosure timeline

April 5, 2025 CVE published
April 7, 2025 Record updated