CVE-2022-45172

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions prior to v018

Description An issue was discovered in the web application, allowing Broken Access Control to occur under the "/api/v1/registration/validateEmail" endpoint, the "/api/v1/vdeskintegration/user/adduser" endpoint, and the "/api/v1/registration/changePasswordUser" endpoint. The application is affected by flaws in authorization logic, enabling a malicious user with no privileges to perform privilege escalation to the administrator role and steal the accounts of any users on the system.

Recommendations For versions prior to v018, update to version v018 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/registration/validateEmail", "/api/v1/vdeskintegration/user/adduser", and "/api/v1/registration/changePasswordUser" endpoints until a patch is available. Additionally, monitor user activity and permissions closely to minimize the risk of exploitation.