Authentication flaw

2020-04-0121:15:00

PRIOn knowledge base

www.prio-n.com

8.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

JSON

An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user’s privilege, allowing an attacker to control/install helpdesk applications and leak current applications’ configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system.

CPENameOperatorVersion
deskprolt2019.8.0

CPE	Name	Operator	Version
	deskpro	lt	2019.8.0

References

blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update