CVE-2025-43926: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in Znuny versions through 6.5.14 and 7.x through 7.1.6, disclosed on May 8, 2025. The vulnerability affects the AgentPreferences UpdateAJAX subaction functionality, allowing custom AJAX calls to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings (NVD, Znuny Advisory).

The vulnerability is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 6.1 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD, Wiz).

When exploited, the vulnerability allows an agent with a valid session to elevate their permissions through XSS by modifying their own preferences. The GetUserData functionality retrieves these manipulated keys and values, which can then be used to affect permissions or other settings (Znuny Advisory, Wiz).

Debian 13 has released a fix for the vulnerability, while Debian 12 remains without a fix as of May 06, 2025. Ubuntu distributions are currently under evaluation for versions 25.04, 24.10, and 24.04 LTS (Ubuntu, Debian Tracker).