CVE-2020-11466

Опубликовано: 01 апр. 2020

Источник: nvd

CVSS3: 7.6

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.

Ссылки

https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Exploit
Third Party Advisory
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Release Notes
Vendor Advisory
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Release Notes
Vendor Advisory
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Exploit
Third Party Advisory
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Release Notes
Vendor Advisory
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:deskpro:deskpro:*:*:*:*:*:*:*:*

Версия до 2019.8.0 (исключая)

EPSS

Процентиль: 57%

0.00353

Низкий

7.6 High

CVSS3

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-269

Связанные уязвимости

GHSA-r6x8-c338-2jr5

github

больше 3 лет назад

EPSS

Процентиль: 57%

0.00353

Низкий

7.6 High

CVSS3

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-269