Authentication flaw

2020-04-0121:15:00

PRIOn knowledge base

www.prio-n.com

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.4%

JSON

An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.

CPENameOperatorVersion
deskprolt2019.8.0

CPE	Name	Operator	Version
	deskpro	lt	2019.8.0

References

blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update