CVE-2017-11463

Name of the Vulnerable Software and Affected Versions Ivanti Service Desk versions 2016.3 through 2017.3

Description The issue allows a normal user to send requests to a specific URI with the target user's username in an HTTP payload to retrieve a key/token and use it to access or update objects belonging to other users, such as user profiles, tickets, and incidents.

Recommendations For Ivanti Service Desk versions 2016.3 through 2017.3, consider restricting access to the specific URI that allows referencing and updating of objects belonging to other users until a patch is available. As a temporary workaround, limit the ability of normal users to send requests with the target user's username in the HTTP payload to prevent unauthorized access to other users' objects.