Password Revealed - security issue


  • Used Zammad version: 2.20
  • Used Zammad installation source: docker-compose
  • Operating system: RedHat
  • Browser + version: Chrome (latest)

Expected behavior:

Actual behavior:

  • Using a on hover password revealer tool shows the actual password as plain text that was used to setup the email settings.

Steps to reproduce the behavior:

  • Setup your email account to be associated with Zammad and fill in password.
    Then afterwards go to edit and use a password reveal tool.

Indead this could be a security issue.


In your environment the zammad admin is not allowed to know the password for the mailbox?
Because to reveal the password you have to be an admin of the zammad system that probably might already now the password.

Anyway I agree to that enhencement request.

We have multiple admins.
A shared mailbox from a microsoft exchange server is used.
however, to login to the share mailbox your personal credentials have to be used.
And we dont want to share personal credentials between eachother.
Nevertheless, the passwords can be revealed using a simple hover over tool.

Therefore wondering how passwords are stored in Zammad.
The email settings passwords seem to be stored as plain text, is this correct?
How are passwords from customers/agents/admins stored?

You could -at least as work around- create a dummy account that does not belong to a personal admin - you could use that exchange account to access the shared mailbox.
Normally you could also use the credentials of the shared mailbox directly - as long as I don’t missunderstand how you use your exchange accounts.

Neverless, this can be a problem. I guess that zammad does it this way, because most pop/imap connectors do the same within their config files.

From what I see in the database dumps the e-mail account credentials are stored in clear text - user information like agents and customers seem to be hashed passwords as you’d expect from a prober system :slight_smile:


I agree that the UI should not reveal the password, though.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.