CVE-2020-11466

Name of the Vulnerable Software and Affected Versions Deskpro versions prior to 2019.8.0

Description An issue was discovered where the "/api/tickets" endpoint failed to properly validate a user's privilege. This allowed an attacker to retrieve arbitrary information about all helpdesk tickets stored in the database with numerous filters, leaking sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket.

Recommendations For versions prior to 2019.8.0, update to version 2019.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/tickets" endpoint to minimize the risk of exploitation.