First published: Wed Apr 01 2020(Updated: )
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Deskpro Deskpro | <2019.8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11463 is a vulnerability in Deskpro before version 2019.8.0 that allows an attacker to retrieve cleartext credentials of all helpdesk email accounts.
The severity of CVE-2020-11463 is high with a CVSS score of 7.5.
CVE-2020-11463 affects Deskpro versions before 2019.8.0.
An attacker can exploit CVE-2020-11463 by accessing the /api/email_accounts endpoint to retrieve cleartext credentials of helpdesk email accounts.
Yes, a fix for CVE-2020-11463 is available in Deskpro version 2019.8.0 and later.