• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers reported critical sqli and access flaws in zendesk analytics

Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service

You are here: Home / General Cyber Security News / Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service
November 15, 2022

Cybersecurity researchers have disclosed particulars of now-patched flaws in Zendesk Examine that could have been exploited by an attacker to attain unauthorized accessibility to information and facts from shopper accounts that have the aspect enabled.

“Prior to it was patched, the flaw would have allowed danger actors to accessibility discussions, email addresses, tickets, comments, and other details from Zendesk accounts with Take a look at enabled,” Varonis claimed in a report shared with The Hacker Information.

The cybersecurity business stated there was no proof to recommend that the issues ended up actively exploited in real-world attacks. No motion is essential on the section of the clients.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Zendesk Examine is a reporting and analytics solution that allows organizations to “view and examine key facts about your customers, and your assist sources.”

Zendesk Analytics Service

According to the security application corporation, exploitation of the shortcoming initially needs an attacker to sign up for the ticketing company of its victim’s Zendesk account as a new external user, a aspect that’s possible enabled by default to permit conclusion-buyers to submit aid tickets.

The vulnerability relates to an SQL injection in its GraphQL API that could be abused to exfiltrate all information stored in the databases as an admin consumer, such as email addresses, tickets, and conversations with reside agents.

CyberSecurity

A 2nd flaw considerations a logic entry issue involved with a query execution API, which was configured to run the queries with no examining if the “person” earning the get in touch with experienced ample authorization to do so.

“This meant that a newly created end-user could invoke this API, transform the question, and steal knowledge from any table in the goal Zendesk account’s RDS, no SQLi essential,”

Varonis said the issues have been disclosed to Zendesk on August 30, pursuing which the weaknesses ended up rectified by the company on September 8, 2022.

Observed this short article interesting? Adhere to THN on Facebook, Twitter  and LinkedIn to go through extra exclusive content material we submit.


Some components of this report are sourced from:
thehackernews.com

Previous Post: «deep packet inspection vs. metadata analysis of network detection & Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions
Next Post: Lazarus Backdoor DTrack Evolves to Target Europe and Latin America Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.