CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28814 – Improper Access Control Vulnerability in Helpdesk
https://notcve.org/view.php?id=CVE-2021-28814
11 Jun 2021 — An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4. Se ha reportado una vulnerabilidad de control de acceso inapropiado que afecta a QNAP NAS. • https://www.qnap.com/zh-tw/security-advisory/qsa-21-25 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 29%CPEs: 1EXPL: 0CVE-2020-2506 – QNAP Helpdesk Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2020-2506
03 Feb 2021 — The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3. La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-08 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-2507 – command injection vulnerability in Helpdesk
https://notcve.org/view.php?id=CVE-2020-2507
03 Feb 2021 — The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3. La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-08 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19946
https://notcve.org/view.php?id=CVE-2018-19946
11 Sep 2020 — The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk. Si es explotada, esta vulnerabilidad de comprobación de certificado inapropiada podría permitir a un a... • https://www.qnap.com/zh-tw/security-advisory/qsa-20-05 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19947
https://notcve.org/view.php?id=CVE-2018-19947
11 Sep 2020 — The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk. Si es explotada, esta vulnerabilidad de exposición de información podría revelar información confidencial. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-05 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information CWE-210: Self-generated Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19948
https://notcve.org/view.php?id=CVE-2018-19948
11 Sep 2020 — The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk. Si es explotada, esta vulnerabilidad de tipo cross-site request forgery (CSRF) podría permitir a atacantes obligar a us... • https://www.qnap.com/zh-tw/security-advisory/qsa-20-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2500
https://notcve.org/view.php?id=CVE-2020-2500
01 Jul 2020 — This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions. Esta vulnerabilidad de control de acceso inadecuado en Helpdesk permite a atacantes obtener el control del servicio QNAP Kayako. Los atacantes pueden acceder a los datos confidenciales en el servido... • https://www.qnap.com/zh-tw/security-advisory/qsa-20-03 • CWE-284: Improper Access Control CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0728
https://notcve.org/view.php?id=CVE-2018-0728
04 Dec 2019 — This improper access control vulnerability in Helpdesk allows attackers to access the system logs. To fix the vulnerability, QNAP recommend updating QTS and Helpdesk to their latest versions. Esta vulnerabilidad de control de acceso inapropiado en Helpdesk permite a atacantes acceder a los registros del sistema. Para corregir la vulnerabilidad, QNAP recomienda actualizar QTS y Helpdesk a sus últimas versiones. • https://www.qnap.com/zh-tw/security-advisory/nas-201911-20 • CWE-269: Improper Privilege Management •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 2CVE-2017-18486
https://notcve.org/view.php?id=CVE-2017-18486
09 Aug 2019 — Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user. Jitbit Helpdesk en versiones anteriores... • https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass • CWE-332: Insufficient Entropy in PRNG •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2018-0714
https://notcve.org/view.php?id=CVE-2018-0714
13 Aug 2018 — Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application. Vulnerabilidad de inyección de comandos en Helpdesk en versiones 1.1.21 y anteriores en QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 y sus versiones anteriores podría permitir que los atacantes remotos ej... • https://www.qnap.com/zh-tw/security-advisory/nas-201808-13 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •