CVE-2007-4412

Name of the Vulnerable Software and Affected Versions DeskPRO version 3.0.2

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters to various API endpoints, including "techs.php", "ticket category.php", "ticket priority.php", "ticket workflow.php", "ticket escalate.php", "fields ticket.php", "ticket rules web.php", "ticket displayfields.php", "ticket rules mail.php", "fields user.php", "fields faq.php", and "user help.php". The affected endpoints are located in the "admincp/" directory and possibly a directory on the "User side".

Recommendations For DeskPRO version 3.0.2, consider disabling access to the affected API endpoints until a patch is available. Restrict access to the admincp/ directory and possibly the directory on the "User side" to minimize the risk of exploitation. Avoid using unspecified parameters in the affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.