Key Vulnerability Information from the Screenshot ID: ZAA-2020-17 Date: 09/22/2020 Title: Tag and Link REST API endpoints lack CSRF token check Severity: Low Product: Zammad 1.0.x up to 3.4.0 Fixed in: Zammad 3.4.1, 3.5.0 CVE: Pending Vulnerability Description: The vulnerability exists because the add and delete REST API endpoints for Tags and Links were requested via GET requests, leading to no CSRF token checks being performed. This could allow an attacker to manipulate Tags and Links associated with a user trusted by the web application. Recommended Resolution: Upgrade to the latest Zammad version, as the vulnerability has been fixed. Fixed releases can be obtained from: Alternatively, update the Zammad installation via the OS package manager. Additional Information: Online version of this advisory: Contact: security@zammad.com