{"api_version":"1","generated_at":"2026-04-10T04:05:34+00:00","cve":"CVE-2022-48023","urls":{"html":"https://cve.report/CVE-2022-48023","api":"https://cve.report/api/cve/CVE-2022-48023.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-48023","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-48023"},"summary":{"title":"CVE-2022-48023","description":"Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-02-03 01:15:00","updated_at":"2023-02-09 17:49:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://zammad.com/de/advisories/zaa-2022-12","name":"https://zammad.com/de/advisories/zaa-2022-12","refsource":"MISC","tags":[],"title":"Security Advisory ZAA-2022-12 | Zammad","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-48023","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48023","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"48023","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zammad","cpe5":"zammad","cpe6":"5.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-48023","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://zammad.com/de/advisories/zaa-2022-12","refsource":"MISC","name":"https://zammad.com/de/advisories/zaa-2022-12"}]}},"nvd":{"publishedDate":"2023-02-03 01:15:00","lastModifiedDate":"2023-02-09 17:49:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zammad:zammad:5.3.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}