CVE-2020-10105: 
NixOS vulnerability analysis and mitigation

A source code disclosure vulnerability was discovered in Zammad versions 3.0 through 3.2. The vulnerability allows the application to return source code of static resources when submitting an OPTIONS request instead of a GET request. This vulnerability was disclosed on March 3, 2020, and was assigned the identifier CVE-2020-10105 (Debian Tracker, Zammad Advisory).

The vulnerability specifically affects the handling of OPTIONS requests in Zammad. When an OPTIONS request is made to static resources, such as the file '/zammad/public/404.html', the application incorrectly returns the source code of the file instead of processing it as a normal GET request. The vulnerability was classified with a low severity rating (Zammad Advisory).

The exposure of source code through this vulnerability enables attackers to gain insights into the application's implementation details, potentially allowing them to formulate more precise and targeted attacks against the system (Debian Tracker).

The vulnerability has been fixed in Zammad versions 3.2.1 and 3.3.0. Users are recommended to upgrade to these or later versions. Updates can be obtained through the official Zammad website, FTP server, or through the operating system's package manager (Zammad Advisory).