Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in HelpDezk Community

Posted date 20/07/2023
Identificador

INCIBE-2023-0291

Importance
5 - Critical
Affected Resources

HelpDezk Community, version 1.1.10.

Description

INCIBE has coordinated the publication of 2 vulnerabilities in HelpDezk Community, a software for managing requests and incidents, which have been discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes:

  • CVE-2023-3037:
    • CVSS v3.1 base score: 8,6.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L.
    • Vulnerability type: CWE-285: autorización indebida.
  • CVE-2023-3038:
    • CVSS v3.1 base score: 9,8.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
    • Vulnerability type: CWE-89: inyección SQL.
Solution

No solution has been identified at this stage.

Detail
  • CVE-2023-3037: improper authorisation vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter.
  • CVE-2023-3038: SQL injection vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the rows parameter of the jsonGrid route and extract all the information stored in the application.
References list
Product sheet
CVE-2023-3037: issue en GitHub
CVE-2023-3039: issue en GitHub
Etiquetas