## Security Advisory Details - **ID:** ZAA-2021-14 - **Date:** 10/05/2021 - **Title:** Remote code execution due to insecure deserialization - **Severity:** medium - **Product:** Zammad 1.0.x up to 4.1.0 - **Fixed in:** Zammad 4.1.1, 5.0.0 - **References:** - CVE: CVE-2021-42090 ## Vulnerability Descriptions **Remote code execution due to insecure deserialization** Zammad includes a form functionality that can be embedded in a website. Website visitors can create a ticket via the form. However, a vulnerability in the deserialization of form data allows malicious code execution in the application server context. ## Special Thanks - **N:** Emil Virkki - **D:** Security Researcher - **W:** https://github.com/emilvirkki ## Recommended Resolution This vulnerability is fixed in the latest versions of Zammad. It is recommended to upgrade to one of these. Fixed releases can be found at: - https://zammad.org/ - https://ftp.zammad.com/ Alternatively, update your Zammad via the OS package manager. ## Additional Information - **Online version:** https://zammad.com/en/advisories/zaa-2021-14 - **Contact:** Send remarks to security issues to security@zammad.com.