CVE-2020-11463

Name of the Vulnerable Software and Affected Versions Deskpro versions prior to 2019.8.0

Description An issue was discovered where the "/api/email accounts" endpoint failed to properly validate a user's privilege. This allowed an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. As a result, an attacker could gain full access to all emails sent or received by the system, including password reset emails, making it possible to reset any user's password.

Recommendations For versions prior to 2019.8.0, update to version 2019.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/email accounts" endpoint until a patch is available.