Helpdesk
Monthly
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. This is a medium-risk vulnerability limited to authenticated administrators but affecting any admin viewer.
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) payloads via the companyname parameter in template group creation and editing, with malicious scripts executing in the browsers of other administrators viewing the Templates > Groups page. The attack requires administrative credentials and user interaction (victim viewing the affected page), but succeeds against all administrator accounts with access to that interface.
Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.
GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). Patch version 4.99.9 or later is available from the vendor.
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary JavaScript into report titles via the Reports module, with payload execution triggered when staff members access the report link in the Manage Reports interface. The vulnerability requires attacker authentication and user interaction (clicking the report link), limiting real-world impact to internal staff compromise scenarios rather than mass exploitation. Patch is available from the vendor.
SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.
An improper certificate validation vulnerability has been reported to affect Helpdesk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. This is a medium-risk vulnerability limited to authenticated administrators but affecting any admin viewer.
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) payloads via the companyname parameter in template group creation and editing, with malicious scripts executing in the browsers of other administrators viewing the Templates > Groups page. The attack requires administrative credentials and user interaction (victim viewing the affected page), but succeeds against all administrator accounts with access to that interface.
Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.
GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). Patch version 4.99.9 or later is available from the vendor.
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary JavaScript into report titles via the Reports module, with payload execution triggered when staff members access the report link in the Manage Reports interface. The vulnerability requires attacker authentication and user interaction (clicking the report link), limiting real-world impact to internal staff compromise scenarios rather than mass exploitation. Patch is available from the vendor.
SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.
An improper certificate validation vulnerability has been reported to affect Helpdesk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.