CVE-2020-15849 - OpenCVE

Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488).

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Re-desk	Re\

Configuration 1 [-]

cpe:2.3:a:re-desk:re\:desk:2.3:*:*:*:*:*:*:*

References

Link	Resource
https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/	Exploit Third Party Advisory
https://www.re-desk.com/download-help-desk-software.html	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-30T18:28:20

Updated: 2020-09-30T18:28:20

Reserved: 2020-07-20T00:00:00

Link: CVE-2020-15849

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-09-30T19:15:13.180

Modified: 2020-10-16T13:47:49.180

Link: CVE-2020-15849

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-30T18:28:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.re-desk.com/download-help-desk-software.html"}, {"tags": ["x_refsource_MISC"], "url": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15849", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.re-desk.com/download-help-desk-software.html", "refsource": "MISC", "url": "https://www.re-desk.com/download-help-desk-software.html"}, {"name": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/", "refsource": "MISC", "url": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15849", "datePublished": "2020-09-30T18:28:20", "dateReserved": "2020-07-20T00:00:00", "dateUpdated": "2020-09-30T18:28:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:re-desk:re\\:desk:2.3:*:*:*:*:*:*:*", "matchCriteriaId": "34C4228B-7583-4BC3-A0D1-A5E60AF4E874", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488)."}, {"lang": "es", "value": "Re:Desk versi\u00f3n 2.3, presenta una vulnerabilidad de inyecci\u00f3n SQL autenticada ciega en la clase SettingsController, en el m\u00e9todo actionEmailTemplates(). Un actor malicioso con acceso a una cuenta administrativa podr\u00eda abusar de esta vulnerabilidad para recuperar datos confidenciales de la base de datos de la aplicaci\u00f3n, permitiendo omitir la autorizaci\u00f3n y hacerse cargo de cuentas adicionales mediante la modificaci\u00f3n de tokens de restablecimiento de contrase\u00f1a almacenados en la base de datos. Una ejecuci\u00f3n de comandos remota tambi\u00e9n es posible al aprovechar esto para abusar de la funcionalidad bizRule del framework Yii, permitiendo que un c\u00f3digo PHP arbitrario sea ejecutado por la aplicaci\u00f3n. Una ejecuci\u00f3n de comandos remota tambi\u00e9n es posible al usar esto junto con una vulnerabilidad de carga de archivos no segura separada (CVE-2020-15488)"}], "id": "CVE-2020-15849", "lastModified": "2020-10-16T13:47:49.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T19:15:13.180", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labs.f-secure.com/advisories/redesk-v2-3-multiple-issues/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.re-desk.com/download-help-desk-software.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}