Privilege escalation

2020-04-0121:15:00

PRIOn knowledge base

www.prio-n.com

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.4%

JSON

An issue was discovered in Deskpro before 2019.8.0. The /api/people endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve sensitive information about all users registered on the system. This includes their full name, privilege, email address, phone number, etc.

CPENameOperatorVersion
deskprolt2019.8.0

CPE	Name	Operator	Version
	deskpro	lt	2019.8.0

References

blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update