Security Advisory Details ID: ZAA-2021-14 Date: 10/05/2021 Title: Remote code execution due to insecure deserialization Severity: medium Product: Zammad 1.0.x up to 4.1.0 Fixed in: Zammad 4.1.1, 5.0.0 References: - CVE: CVE-2021-42090 Vulnerability Descriptions Remote code execution due to insecure deserialization Zammad includes a form functionality that can be embedded in a website. Website visitors can create a ticket via the form. However, a vulnerability in the deserialization of form data allows malicious code execution in the application server context. Special Thanks N: Emil Virkki D: Security Researcher W: https://github.com/emilvirkki Recommended Resolution This vulnerability is fixed in the latest versions of Zammad. It is recommended to upgrade to one of these. Fixed releases can be found at: https://zammad.org/ https://ftp.zammad.com/ Alternatively, update your Zammad via the OS package manager. Additional Information Online version: https://zammad.com/en/advisories/zaa-2021-14 Contact: Send remarks to security issues to security@zammad.com.