CVE-2020-13992
published 2020-07-09CVE-2020-13992: An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Stored XSS issue allows remote unauthenticated attackers to abuse a helpdesk user's logged…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.21%
64.5th percentile
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Stored XSS issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session. A user with sufficient privileges to change their login-page image must open a crafted ticket.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mods-for-hesk | mods_for_hesk | 3.1.0 – 2019.1.0 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w2j7-cqvr-h9j4: An issue was discovered in Mods for HESK 3
ghsa_unreviewed·2022-05-24·CVSS 6.1
CVE-2020-13994 [MEDIUM] CWE-94 GHSA-w2j7-cqvr-h9j4: An issue was discovered in Mods for HESK 3
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A privileged user can achieve code execution on the server via a ticket because of improper access control of uploaded resources. This might be exploitable in conjunction with CVE-2020-13992 by an unauthenticated attacker.
GHSA
GHSA-596p-vvxh-vqg6: An issue was discovered in Mods for HESK 3
ghsa_unreviewed·2022-05-24
CVE-2020-13992 [MEDIUM] GHSA-596p-vvxh-vqg6: An issue was discovered in Mods for HESK 3
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A Stored XSS issue allows remote unauthenticated attackers to abuse a helpdesk user's logged in session. A user with sufficient privileges to change their login-page image must open a crafted ticket.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-07-09
Published