CVE-2022-45169

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v031

Description An issue was discovered allowing a URL Redirection to an Untrusted Site (Open Redirect) under the "/api/v1/notification/createnotification" endpoint. This enables an authenticated user to send an arbitrary push notification to any other user of the system, which can include an invisible clickable link.

Recommendations For versions through v031, as a temporary workaround, consider restricting access to the "/api/v1/notification/createnotification" endpoint until a patch is available. Additionally, limiting the ability to send push notifications to only trusted users may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.