CVE-2022-35487: 
NixOS vulnerability analysis and mitigation

Zammad 5.2.0 was discovered to contain an Incorrect Access Control vulnerability (CVE-2022-35487). The vulnerability stems from improper authorization checks on certain attachment endpoints, which could allow unauthenticated attackers to gain unauthorized access to attachments, including emails and attached files. The issue was discovered by Erik Kipka and Wilfried Kirsch from softScheck GmbH and was fixed in Zammad version 5.2.1 (Zammad Advisory).

The vulnerability exists due to improper authorization validation on attachment endpoints in Zammad 5.2.0. The security flaw allows unauthorized access to the system's attachments, potentially exposing sensitive information stored in emails and attached files. The severity of this vulnerability is rated as high according to the vendor's security advisory (Zammad Advisory).

An unauthenticated attacker could exploit this vulnerability to gain unauthorized access to attachments stored in the Zammad system, including emails and attached files. This could lead to exposure of sensitive information stored in these attachments (Zammad Advisory).

The vulnerability has been fixed in Zammad version 5.2.1. Users are strongly recommended to upgrade to this version or later. Updates can be obtained from the official Zammad website (zammad.org), FTP server (ftp.zammad.com), or through the OS package manager (Zammad Advisory).