PT-2020-15882 · Qnap · Helpdesk

Yoni Ramon

Published

2020-07-01

Updated

2020-07-10

CVE-2020-2500

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Helpdesk versions prior to 3.0.1

Description This issue allows attackers to gain control of the QNAP Kayako service due to improper access control in Helpdesk. Attackers can access sensitive data on the QNAP Kayako server using API keys.

Recommendations For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. As a temporary workaround, consider replacing the API key to mitigate the vulnerability. Restrict access to sensitive data on the QNAP Kayako server until the issue is resolved.

Fix

Improper Access Control

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-798CWE-321

Related Identifiers

CVE-2020-2500

Affected Products

Helpdesk

PT-2020-15882 · Qnap · Helpdesk

CVE-2020-2500

Weakness Enumeration

Related Identifiers

Affected Products

References · 4