Home Security Researchers Reported Essential SQLi and Entry Flaws in Zendesk Analytics Service

Researchers Reported Essential SQLi and Entry Flaws in Zendesk Analytics Service

by crpt os


Cybersecurity researchers have disclosed details of now-patched flaws in Zendesk Explore that could have been exploited by an attacker to gain unauthorized access to information from customer accounts that have the feature turned on.

“Before it was patched, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled,” Varonis said in a report shared with The Hacker News.

The cybersecurity firm said there was no evidence to suggest that the issues were actively exploited in real-world attacks. No action is required on the part of the customers.

Zendesk Explore is a reporting and analytics solution that allows organizations to “view and analyze key information about your customers, and your support resources.”

Zendesk Analytics Service

According to the security software company, exploitation of the shortcoming first requires an attacker to register for the ticketing service of its victim’s Zendesk account as a new external user, a feature that’s likely enabled by default to allow end-users to submit support tickets.

The vulnerability relates to an SQL injection in its GraphQL API that could be abused to exfiltrate all information stored in the database as an admin user, including email addresses, tickets, and conversations with live agents.

CyberSecurity

A second flaw concerns a logic access issue associated with a query execution API, which was configured to run the queries without checking if the “user” making the call had adequate permission to do so.

“This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required,”

Varonis said the issues were disclosed to Zendesk on August 30, following which the weaknesses were rectified by the company on September 8, 2022.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex