CVE-2024-36078 Information

Description

In Zammad before 6.3.1 a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem’s files injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user).

Reference

https://zammad.com/en/advisories/zaa-2024-04