We have an old installation of Zammad 3.1.x (package-install CentOS7)
That was vulnerable to stored XSS via a custom Avatar CVE-2021-42085.
We follow the Security Advisory ZAA-2021-17 and update to the latest versions of Zammad 5.0.x.
No more new XSS via a custom Avatar can be stored (tested).
But the previous XSS can still be triggered (samples from pen-testing).
How to find and delete all possible Stored XSS.