CVE-2025-32360: 
NixOS vulnerability analysis and mitigation

In Zammad 6.4.x before 6.4.2, there exists an information exposure vulnerability identified as CVE-2025-32360. The vulnerability was discovered on April 5, 2025, affecting Zammad versions from 6.4.0 up to (but not including) 6.4.2. The issue stems from incorrect access control where logged-in customers could access and manipulate shared article drafts, which should only be accessible to agents (NVD, Zammad Advisory).

The vulnerability is characterized by improper access control mechanisms that allow customers to view shared draft details for their customer tickets through the browser console. The severity assessment according to CVSS 3.1 varies between sources, with NVD rating it as HIGH (Base Score: 8.1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) while MITRE rates it as MEDIUM (Base Score: 4.2, Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). The vulnerability is classified under CWE-402 (Transmission of Private Resources into a New Sphere) (NVD).

The vulnerability exposes confidential information contained in shared article drafts to unauthorized users. Additionally, affected customers can manipulate these drafts through the API, potentially compromising the integrity of support ticket information (NVD, Zammad Advisory).

The vulnerability has been fixed in Zammad versions 6.4.2 and 6.5.0. Users are recommended to upgrade to one of these versions. Updates can be obtained through the official Zammad website, FTP server, or via OS package manager (Zammad Advisory).