CVE-2020-11466

An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
mitreCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AC:L/AV:N/A:L/C:H/I:L/PR:L/S:U/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
deskprodeskpro
𝑥
< 2019.8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update