Multiple vulnerabilities in HelpDezk Community

Posted date 20/07/2023

Importance

5 - Critical

Affected Resources

HelpDezk Community, version 1.1.10.

Description

INCIBE has coordinated the publication of 2 vulnerabilities in HelpDezk Community, a software for managing requests and incidents, which have been discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes:

CVE-2023-3037:
- CVSS v3.1 base score: 8,6.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L.
- Vulnerability type: CWE-285: autorización indebida.
CVE-2023-3038:
- CVSS v3.1 base score: 9,8.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Vulnerability type: CWE-89: inyección SQL.

Solution

No solution has been identified at this stage.

Detail

CVE-2023-3037: improper authorisation vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter.
CVE-2023-3038: SQL injection vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the rows parameter of the jsonGrid route and extract all the information stored in the application.

References list

Product sheet

CVE-2023-3037: issue en GitHub

CVE-2023-3039: issue en GitHub

Etiquetas