Helpdesk
CVE-2020-2500
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.
AnalysisAI
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-284. This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions. Affected products include: Qnap Helpdesk.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL
Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 buil
The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remot
An improper access control vulnerability has been reported to affect QNAP NAS. Rated high severity (CVSS 8.8), this vuln
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie d
An improper certificate validation vulnerability has been reported to affect Helpdesk. Rated high severity (CVSS 7.7), t
GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subjec
Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary Ja
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) paylo
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. Rated medium severity (CVSS 4.8), this
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today