Deskpro XSS flaws could hijack admin sessions, take over helpdesk agent accounts

  • Hackers could have exploited cross-web site scripting vulnerabilities discovered in well known helpdesk platform Deskpro to hijack the sessions of directors and takeover the accounts of helpdesk agents.

    This would give the attackers the very same privileges as admins and agents in phrases of what they could execute or information and facts they are uncovered to, in accordance to a blog site by the Checkmarx researchers who located the flaw even though auditing the platform. In certain cases, attackers could have reset the entire helpdesk, wiping all procedure facts.

    Offered the change to distant perform and the have to have for helpdesk computer software that allows remote groups collaborate, Checkmarx audited Deskpro’s security as aspect of the company’s bug bounty plan. Checkmarx researchers stated attackers could exploit the issue in two techniques:

    Administrator session hijacking. This flaw had a CVSS rating of 8.8, which security pros look at substantial. The issue was uncovered in Deskpro model 2020.2.9 managing in a docker container utilizing the formal Deskpro docker picture. Even so, the fundamental issue – a stored XSS vulnerability – also has an effect on the cloud edition. Destructive end users can execute arbitrary code in the victim’s browser to exfiltrate the session token. With the token in hand, destructive consumers could hijack victims’ sessions and execute steps on their behalf.

    Agent account takeover. This vulnerability was assigned a CVSS rating of 8.1, also deemed large. The issue was discovered in Deskpro 2020.2.9, working in a docker container using the formal Deskpro docker impression. Also in this occasion, the saved XSS vulnerability influences the cloud version. Malicious buyers can execute arbitrary code in the victim’s browser, enabling them to get over a victim’s account.

    This come across all over again proves that there’s no this sort of factor as error-free of charge code, said Dirk Schrader, global vice president at New Internet Systems. Deskpro was swift in reacting to Checkmarx and in fixing the issue, he stated, whilst inquiring for a 90-day keep time period, which he mentioned was realistic to get the majority of installations patched.

    “As normal, attackers will discover individuals who haven’t read the simply call,” Schrader claimed. “Controlling all adjustments to your environment ensures detection of unwelcome adjustments, and scanning for vulnerabilities regularly with an up-to-date scanner makes sure that – need to the connect with for patching have been skipped – one more alarm receives raised.”