CVE-2020-13992

Name of the Vulnerable Software and Affected Versions Mods for HESK versions 3.1.0 through 2019.1.0

Description The issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session through a Stored XSS attack. This can occur when a user with sufficient privileges to change their login-page image opens a crafted ticket.

Recommendations For versions 3.1.0 through 2019.1.0, consider restricting access to the login-page image change functionality until a fix is available. As a temporary workaround, avoid opening crafted tickets to minimize the risk of exploitation.