ID: ZAA-2020-06 Date: 03/03/2020 Title: WebSocket Server DoS Severity: medium Product: Zammad 1.0.x up to 3.2.0 Fixed in: Zammad 3.2.1, 3.3.0 References: CVE-2020-10101 Vulnerability Description: Zammad's WebSocket server crashes when non-JSON formatted messages are sent by an attacker, leading to a crash of the service process due to improper message format checking and parsing error handling. Special Thanks: Martin von Wittich (Security Researcher) - https://twitter.com/martinvwittich Recommended Resolution: Upgrade to the latest versions of Zammad where the vulnerability is fixed. Fixed releases are available at: https://zammad.org/, https://ftp.zammad.com/. Additional Information:** Online version of this advisory: https://zammad.com/en/advisories/zaa-2020-06