CVE-2020-15487

Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorization bypass is also possible, by recovering or modifying password hashes and password reset tokens, allowing for administrative privileges to be obtained.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/	Exploit Third Party Advisory
https://www.re-desk.com/download-help-desk-software.html	Vendor Advisory
https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/	Exploit Third Party Advisory
https://www.re-desk.com/download-help-desk-software.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:re-desk:re\:desk:2.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-09-30 18:15

Updated : 2024-11-21 05:05

NVD link : CVE-2020-15487

Mitre link : CVE-2020-15487

CVE.ORG link : CVE-2020-15487

JSON object : View

Products Affected

re-desk

re\

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2020-15487", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-09-30T18:15:22.273", "references": [{"url": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.re-desk.com/download-help-desk-software.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.re-desk.com/download-help-desk-software.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorization bypass is also possible, by recovering or modifying password hashes and password reset tokens, allowing for administrative privileges to be obtained."}, {"lang": "es", "value": "Re:Desk versi\u00f3n 2.3, contiene una vulnerabilidad de inyecci\u00f3n SQL ciega no autenticada en la funci\u00f3n getBaseCriteria() en el archivo protected/models/Ticket.php. Al modificar el par\u00e1metro GET de la carpeta, es posible ejecutar sentencias SQL arbitrarias por medio de una URL dise\u00f1ada. La ejecuci\u00f3n de comandos remotos no autenticados es posible usando esta inyecci\u00f3n SQL para actualizar determinados valores de la base de datos, que luego son ejecutados por una funci\u00f3n eval() de bizRule en el archivo yii/framework/web/auth/CAuthManager.php. La omisi\u00f3n de autorizaci\u00f3n resultante tambi\u00e9n es posible, recuperando o modificando hashes de contrase\u00f1a y tokens de restablecimiento de contrase\u00f1a, permitiendo obtener privilegios administrativos"}], "lastModified": "2024-11-21T05:05:37.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:re-desk:re\\:desk:2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34C4228B-7583-4BC3-A0D1-A5E60AF4E874"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}