CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19948
https://notcve.org/view.php?id=CVE-2018-19948
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk. Si es explotada, esta vulnerabilidad de tipo cross-site request forgery (CSRF) podría permitir a atacantes obligar a usuarios del NAS a ejecutar acciones involuntarias por medio de una aplicación web. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2500
https://notcve.org/view.php?id=CVE-2020-2500
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions. Esta vulnerabilidad de control de acceso inadecuado en Helpdesk permite a atacantes obtener el control del servicio QNAP Kayako. Los atacantes pueden acceder a los datos confidenciales en el servidor QNAP Kayako con claves de la API. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-03 • CWE-284: Improper Access Control CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0728
https://notcve.org/view.php?id=CVE-2018-0728
This improper access control vulnerability in Helpdesk allows attackers to access the system logs. To fix the vulnerability, QNAP recommend updating QTS and Helpdesk to their latest versions. Esta vulnerabilidad de control de acceso inapropiado en Helpdesk permite a atacantes acceder a los registros del sistema. Para corregir la vulnerabilidad, QNAP recomienda actualizar QTS y Helpdesk a sus últimas versiones. • https://www.qnap.com/zh-tw/security-advisory/nas-201911-20 • CWE-269: Improper Privilege Management •
CVSS: 7.2EPSS: 7%CPEs: 1EXPL: 2CVE-2017-18486
https://notcve.org/view.php?id=CVE-2017-18486
Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user. Jitbit Helpdesk en versiones anteriores a 9.0.3, permite a los atacantes remotos escalar privilegios debido al manejo inapropiado del parámetro userHash del archivo User/AutoLogin. • https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.html https://www.exploit-db.com/exploits/42776 https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-day • CWE-332: Insufficient Entropy in PRNG •
CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0CVE-2008-6440
https://notcve.org/view.php?id=CVE-2008-6440
Cerberus Helpdesk before 4.0 (Build 600) allows remote attackers to obtain sensitive information via direct requests for "controllers ... that aren't standard helpdesk pages," possibly involving the (1) /display and (2) /kb URIs. Cerberus Helpdesk versiones anteriores a v4.0 (Build 600) permite a atacantes remotos obtener información sensible a través de peticiones directas para "controladores ... que no están en páginas estándar de ayuda," posiblemente envolviendo las URIs (1) /display y (2) /kb. • http://secunia.com/advisories/30344 http://www.cerb4.com/blog/2008/05/15/important-security-patch-40-build-599 http://www.securityfocus.com/bid/29335 • CWE-287: Improper Authentication •