CVE-2020-11466

low-risk

Published 2020-04-01

An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Deskpro

Affected Vendors

Deskpro

References (6)

Exploit https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

Release Notes https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

Release Notes https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-up...

Exploit https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

Release Notes https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

Release Notes https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-up...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal