Vulnerability Details : CVE-2020-11463
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.
Products affected by CVE-2020-11463
- cpe:2.3:a:deskpro:deskpro:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11463
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11463
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11463
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11463
-
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Deskpro Security Update (2019-09) - News / News - Deskpro SupportRelease Notes;Vendor Advisory
-
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study – RedforceExploit;Third Party Advisory
-
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Deskpro v2019.8.0 Released (Security Update) - News / Release Announcements - Deskpro SupportRelease Notes;Vendor Advisory
Jump to