ZSA-2022-07

Date: 2022-12-19
Affected: All versions of Znuny LTS <= 6.0.47, Znuny <= 6.4.4, ((OTRS)) Community Edition <= 6.0.30
Severity: medium
CVE: CVE-2022-4427

Sorry to disturb your holiday preparations, but there is an SQL injection vulnerability in Kernel::System::Ticket::TicketSearch, which can be exploited using the web service operation "TicketSearch".

We released a fix for the versions Znuny 6.0 LTS and Znuny 6.4.

If you can't perform a patch level update right now, we also released patched files which can be found here:

TicketSearch.pm (Znuny 6.0 LTS)
TicketSearch.pm (Znuny 6.4)

Thanks to "Tim Püttmanns (maxence.de)" for reporting.