ZSA-2021-05
This issue was identified by Christopher Theuerkauf and was published via the CVE list.
If the System Configuration setting for the linked ticket objects is modified to show FAQ content, which should need at least ro permissions, the content will be shown without a permission check.
The issue is fixed in the current release 6.0.29 which is available via the package manager and our download server