Vulnerability Description
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deskpro | Deskpro | < 2019.8.0 |
Related Weaknesses (CWE)
References
- https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/ExploitThird Party Advisory
- https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09Release NotesVendor Advisory
- https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-upRelease NotesVendor Advisory
- https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/ExploitThird Party Advisory
- https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09Release NotesVendor Advisory
- https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-upRelease NotesVendor Advisory
FAQ
What is CVE-2020-11463?
CVE-2020-11463 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpd...
How severe is CVE-2020-11463?
CVE-2020-11463 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11463?
Check the references section above for vendor advisories and patch information. Affected products include: Deskpro Deskpro.