Hackers could have exploited cross-web page scripting (XSS) vulnerabilities found in well known helpdesk platform Deskpro to hijack the sessions of administrators and takeover the accounts of helpdesk agents.
This would give the attackers the same privileges as admins and agents in phrases of what they could execute or details they are exposed to, according to a site by the Checkmarx researchers who discovered the flaw whilst auditing the platform. In specific circumstances, attackers could have reset the entire helpdesk, wiping all method facts.
Given the shift to distant get the job done and the want for helpdesk software that lets distant groups collaborate, Checkmarx audited Deskpro’s security as aspect of the company’s bug bounty application. Checkmarx researchers mentioned attackers could exploit the issue in two ways:
Administrator session hijacking. This flaw had a CVSS score of 8.8, which security professionals think about higher. The issue was observed in Deskpro model 2020.2.9 operating in a docker container employing the official Deskpro docker graphic. Even so, the underlying difficulty – a stored XSS vulnerability – also impacts the cloud variation. Destructive people can execute arbitrary code in the victim’s browser to exfiltrate the session token. With the token in hand, malicious people could hijack victims’ classes and execute actions on their behalf.
Agent account takeover. This vulnerability was assigned a CVSS rating of 8.1, also thought of high. The issue was located in Deskpro 2020.2.9, functioning in a docker container applying the official Deskpro docker picture. Also in this instance, the stored XSS vulnerability has an effect on the cloud variation. Destructive consumers can execute arbitrary code in the victim’s browser, making it possible for them to acquire around a victim’s account.
This come across once more proves that there is no this kind of matter as error-absolutely free code, said Dirk Schrader, international vice president at New Net Technologies. Deskpro was swift in reacting to Checkmarx and in fixing the issue, he reported, although inquiring for a 90-day keep period, which he said was reasonable to get the the vast majority of installations patched.
“As usual, attackers will uncover people who have not listened to the phone,” Schrader reported. “Controlling all variations to your setting makes certain detection of unwanted variations, and scanning for vulnerabilities regularly with an up-to-date scanner ensures that – need to the get in touch with for patching have been skipped – an additional alarm receives lifted.”
Some areas of this report are sourced from: