CVE-2020-11465

Опубликовано: 01 апр. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user's privilege, allowing an attacker to control/install helpdesk applications and leak current applications' configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system.

Ссылки

https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Exploit
Third Party Advisory
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Release Notes
Vendor Advisory
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Release Notes
Vendor Advisory
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Exploit
Third Party Advisory
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Release Notes
Vendor Advisory
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:deskpro:deskpro:*:*:*:*:*:*:*:*

Версия до 2019.8.0 (исключая)

EPSS

Процентиль: 67%

0.00531

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-2j38-pmwm-2h3f

github

больше 3 лет назад

EPSS

Процентиль: 67%

0.00531

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-862