Destekz
Monthly
Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.
SQL injection in Raera's Destekz support/help-desk application (all versions through 02062026) allows remote attackers to inject arbitrary SQL via unsanitized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicating unauthenticated network exploitation. TR-CERT rates this critical (9.8) with full confidentiality, integrity, and availability impact, meaning an attacker can read, modify, or destroy backend database contents. No public exploit identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued.
Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.
SQL injection in Raera's Destekz support/help-desk application (all versions through 02062026) allows remote attackers to inject arbitrary SQL via unsanitized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicating unauthenticated network exploitation. TR-CERT rates this critical (9.8) with full confidentiality, integrity, and availability impact, meaning an attacker can read, modify, or destroy backend database contents. No public exploit identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued.