Vulnerability CVE-2020-11466


Published: 2020-04-01

Description:
An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Deskpro -> Deskpro 

 References:
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update

Copyright 2024, cxsecurity.com

 

Back to Top