An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket.
Published December 28, 2020.
Zammad Zammad