Loca1Gh0S7

**Name of the Vulnerable Software and Affected Versions** Mods for HESK versions 3.1.0 through 2019.1.0 **Description** The issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session through a Stored XSS attack. This can occur when a user with sufficient privileges to change their login-page image opens a crafted ticket. **Recommendations** For versions 3.1.0 through 2019.1.0, consider restricting access to the login-page image change functionality until a fix is available. As a temporary workaround, avoid opening crafted tickets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mods for HESK versions 3.1.0 through 2019.1.0 **Description** A blind time-based SQL injection issue allows remote unauthenticated attackers to retrieve information from the database via a ticket. **Recommendations** For versions 3.1.0 through 2019.1.0, update to a version that contains a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Mods for HESK versions 3.1.0 through 2019.1.0 **Description** The issue allows a privileged user to achieve code execution on the server via a ticket due to improper access control of uploaded resources. **Recommendations** For versions 3.1.0 through 2019.1.0, update to a version that includes proper access control for uploaded resources to prevent code execution.