{"id":"CVE-2017-5621","details":"An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. XSS can be triggered via malicious HTML in a chat message or the content of a ticket article, when using either the REST API or the WebSocket API.","modified":"2026-04-10T04:00:38.522065Z","published":"2017-03-13T06:59:00.340Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/96937"},{"type":"ADVISORY","url":"https://zammad.com/de/news/security-advisory-zaa-2017-01"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zammad/zammad","events":[{"introduced":"0"},{"last_affected":"0d82236e7bb4f7efa5ab6ae58660264862e16e84"},{"introduced":"0"},{"last_affected":"b13bb2fcaf6311ab0ab8470e797a101a260eaaa7"},{"introduced":"0"},{"last_affected":"e0c6eb0ac60ad0c47efb3ae8f2290a463fbdab00"},{"introduced":"0"},{"last_affected":"e9bfcac03148d5382b257ed93dc4f62cc81856c6"},{"introduced":"0"},{"last_affected":"a01cbd60d6f66a53307ea18ff31f743d17707d05"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.3"},{"introduced":"0"},{"last_affected":"1.1.0"},{"introduced":"0"},{"last_affected":"1.1.1"},{"introduced":"0"},{"last_affected":"1.1.2"},{"introduced":"0"},{"last_affected":"1.2.0"}]}}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.1.0","1.1.1","1.1.2","1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5621.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}