CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19948
https://notcve.org/view.php?id=CVE-2018-19948
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk. Si es explotada, esta vulnerabilidad de tipo cross-site request forgery (CSRF) podría permitir a atacantes obligar a usuarios del NAS a ejecutar acciones involuntarias por medio de una aplicación web. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2500
https://notcve.org/view.php?id=CVE-2020-2500
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions. Esta vulnerabilidad de control de acceso inadecuado en Helpdesk permite a atacantes obtener el control del servicio QNAP Kayako. Los atacantes pueden acceder a los datos confidenciales en el servidor QNAP Kayako con claves de la API. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-03 • CWE-284: Improper Access Control CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0728
https://notcve.org/view.php?id=CVE-2018-0728
This improper access control vulnerability in Helpdesk allows attackers to access the system logs. To fix the vulnerability, QNAP recommend updating QTS and Helpdesk to their latest versions. Esta vulnerabilidad de control de acceso inapropiado en Helpdesk permite a atacantes acceder a los registros del sistema. Para corregir la vulnerabilidad, QNAP recomienda actualizar QTS y Helpdesk a sus últimas versiones. • https://www.qnap.com/zh-tw/security-advisory/nas-201911-20 • CWE-269: Improper Privilege Management •
CVSS: 7.2EPSS: 7%CPEs: 1EXPL: 2CVE-2017-18486
https://notcve.org/view.php?id=CVE-2017-18486
Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user. Jitbit Helpdesk en versiones anteriores a 9.0.3, permite a los atacantes remotos escalar privilegios debido al manejo inapropiado del parámetro userHash del archivo User/AutoLogin. • https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.html https://www.exploit-db.com/exploits/42776 https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-day • CWE-332: Insufficient Entropy in PRNG •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-0714
https://notcve.org/view.php?id=CVE-2018-0714
Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application. Vulnerabilidad de inyección de comandos en Helpdesk en versiones 1.1.21 y anteriores en QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 y sus versiones anteriores podría permitir que los atacantes remotos ejecuten comandos arbitrarios en la aplicación comprometida. • https://www.qnap.com/zh-tw/security-advisory/nas-201808-13 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •