Vulnerability Description
An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user's privilege, allowing an attacker to control/install helpdesk applications and leak current applications' configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deskpro | Deskpro | < 2019.8.0 |
Related Weaknesses (CWE)
References
- https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/ExploitThird Party Advisory
- https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09Release NotesVendor Advisory
- https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-upRelease NotesVendor Advisory
- https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/ExploitThird Party Advisory
- https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09Release NotesVendor Advisory
- https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-upRelease NotesVendor Advisory
FAQ
What is CVE-2020-11465?
CVE-2020-11465 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user's privilege, allowing an attacker to control/install helpdesk applications and leak cur...
How severe is CVE-2020-11465?
CVE-2020-11465 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11465?
Check the references section above for vendor advisories and patch information. Affected products include: Deskpro Deskpro.