Vulnerability Details : CVE-2020-11465
Potential exploit
An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user's privilege, allowing an attacker to control/install helpdesk applications and leak current applications' configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system.
Products affected by CVE-2020-11465
- cpe:2.3:a:deskpro:deskpro:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11465
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11465
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
MITRE | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-11465
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11465
-
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Deskpro Security Update (2019-09) - News / News - Deskpro SupportRelease Notes;Vendor Advisory
-
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study – RedforceExploit;Third Party Advisory
-
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Deskpro v2019.8.0 Released (Security Update) - News / Release Announcements - Deskpro SupportRelease Notes;Vendor Advisory
Jump to