Vulnerability Details : CVE-2020-2500
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-2500
- cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-2500
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-2500
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
QNAP Systems, Inc. |
CWE ids for CVE-2020-2500
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security@qnapsecurity.com.tw (Secondary)
-
The product uses a hard-coded, unchangeable cryptographic key.Assigned by: security@qnapsecurity.com.tw (Secondary)
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by:
- nvd@nist.gov (Primary)
- security@qnapsecurity.com.tw (Secondary)
References for CVE-2020-2500
-
https://www.qnap.com/zh-tw/security-advisory/qsa-20-03
Improper Access Control in Helpdesk - Technical Advisory | QNAPVendor Advisory
Jump to