CVE-2025-43926

Published May 8, 2025

Last updated a month ago

CVSS medium 6.1

Overview

Description: An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-79

Hype score: Not currently trending

CVE-2025-43926 An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferen… https://t.co/HDKQwDJQ4n
@CVEnew
8 May 2025
359 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:znuny:znuny:*:*:*:*:-:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9AE6EEAD-6B04-4C77-B2C5-F3664B3ACBA6",
            "versionEndIncluding": "6.5.14"
          },
          {
            "criteria": "cpe:2.3:a:znuny:znuny:*:*:*:*:-:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "56F16A91-751A-457A-9DAE-9B5600B4DE82",
            "versionEndIncluding": "7.1.6",
            "versionStartIncluding": "7.0.1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References