Daniel@Hackermondev

**Name of the Vulnerable Software and Affected Versions** Zendesk versions prior to 2024-07-02 **Description** The issue is related to improper authorization in Zendesk, allowing remote attackers to read ticket history via e-mail spoofing. This is because Cc fields are extracted from incoming e-mail messages and used to grant additional authorization for ticket viewing, with an insufficient mechanism for detecting spoofed e-mail messages. The support e-mail addresses associated with individual tickets are also predictable. An attacker can view the entire ticket's history, gaining access to sensitive data, by knowing the support email and ticket id. **Recommendations** For versions prior to 2024-07-02, upgrade the affected component immediately to prevent potential remote exploits. As a temporary workaround, consider restricting access to the email handler to minimize the risk of exploitation. Avoid using predictable support email addresses associated with individual tickets until the issue is resolved.