CVE-2022-45178

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v018

Description An issue exists in the software due to Broken Access Control. This issue affects several API endpoints: "/api/v1/vdeskintegration/saml/user/createorupdate", "/settings/guest-settings", "/settings/samlusers-settings", and "/settings/users-settings". A malicious user who is already logged in as a SAML User can escalate privileges from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users without needing an admin role.

Recommendations For LIVEBOX Collaboration vDesk versions through v018, as a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Additionally, restrict the ability to create new users and limit privilege escalation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.