7.5

CVE-2020-11463

Exploit

EPSS 0.43%
Veröffentlicht 01.04.2020 21:15:14
Zuletzt bearbeitet 21.11.2024 04:57:58
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deskpro ≫ Deskpro Version < 2019.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.615

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro/

Third Party Advisory

Exploit

https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09

Vendor Advisory

Release Notes

https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2020-11463

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-11463

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-11463

EUVD