CVE-2023-3038: Multiple Vulnerabilities Helpdezk Community | INCIBE-CERT

Affected Resources

HelpDezk Community, version 1.1.10.

Description

INCIBE has coordinated the publication of 2 vulnerabilities in HelpDezk Community, a software for managing requests and incidents, which have been discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes:

• CVE-2023-3037:
  • CVSS v3.1 base score: 8,6.
  • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L.
  • Vulnerability type: CWE-285: autorización indebida.
• CVE-2023-3038:
  • CVSS v3.1 base score: 9,8.
  • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
  • Vulnerability type: CWE-89: inyección SQL.

Solution

No solution has been identified at this stage.

Detail

• CVE-2023-3037: improper authorisation vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter.
• CVE-2023-3038: SQL injection vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the rows parameter of the jsonGrid route and extract all the information stored in the application.