Vulnerability Details : CVE-2020-11466
An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.
Products affected by CVE-2020-11466
- cpe:2.3:a:deskpro:deskpro:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11466
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11466
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
7.6
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
2.8
|
4.7
|
MITRE | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2020-11466
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11466
-
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
Deskpro Security Update (2019-09) - News / News - Deskpro SupportRelease Notes;Vendor Advisory
-
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study – RedforceExploit;Third Party Advisory
-
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Deskpro v2019.8.0 Released (Security Update) - News / Release Announcements - Deskpro SupportRelease Notes;Vendor Advisory
Jump to