Các bài viết liên quan:
Researchers network security disclosed details of now-patched vulnerabilities in Zendesk Explore that could have been exploited by attackers to gain unauthorized access to information from enabled customer accounts. feature this.
“Before being patched, the vulnerability would have allowed threat actors access to conversations, email addresses, requests, comments, and other messages,” Varonis said in a report shared with The Hacker News. other information from Zendesk accounts with Discover enabled.
The cybersecurity firm says there is no evidence that the issues have been actively exploited in real-world attacks. No action is required on the client part.
Zendesk Explore is a reporting and analytics solution that allows organizations to “view and analyze key information about your customers and support resources”.
According to the company software security, exploiting the vulnerability first requires an attacker to sign up for a service that requires the victim’s Zendesk account as a new external user, a feature that may be enabled by default to allow Allows end users to submit support requests.
The vulnerability concerns an SQL insert in the GraphQL API that could be abused to filter out all information stored in the database as an administrative user, including email addresses, tickets, and calls. Chat with live agents.
The second vulnerability is related to a logical access issue related to the Query Execution API, which is configured to run queries without checking that the “user” making the call has sufficient permissions to do so. that or not.
“This means that a newly created end user can call this API, change queries and steal data from any table in the RDS of the target Zendesk account without SQLi,”
Varonis said the issues were disclosed to Zendesk on August 30, then the weaknesses were fixed by the company on September 8, 2022.
