CVE-2020-11467

Name of the Vulnerable Software and Affected Versions Deskpro versions prior to 2019.8.0

Description An issue was discovered in Deskpro that allows administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, using TWIG as its template engine. Although direct access to self and self variables is not permitted, an attacker can abuse accessible variables in their context to reach a native unserialize function via the code parameter. By passing a crafted payload, an attacker can trigger a set of POP gadgets to achieve remote code execution.

Recommendations For versions prior to 2019.8.0, update to version 2019.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /portal/api/style/edit-theme-set/template-sources endpoint to minimize the risk of exploitation. Additionally, avoid using the code parameter in the affected API endpoint until the issue is resolved.