CVE-2020-2500

CWE-284Improper Access ControlCWE-321CWE-798Hard-coded CredentialsCWE-22Path Traversal4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.3%
top 51.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Qnap Systems Inc. HelpdeskQnap Helpdesk
Timeline
PublishedJul 1
Latest updateJun 9

Description

This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDqnap/helpdesk< 3.0.1
CVEListV5qnap_systems_inc./helpdeskunspecified3.0.1

🔴Vulnerability Details

3
GHSA
Arbitrary file read using percent-encoded relative paths in FileMiddleware2023-06-09
GHSA
GHSA-v7p7-qff5-5j8w: This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service2022-05-24
CVEList
CVE-2020-2500: This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service2020-07-01
CVE-2020-2500 (MEDIUM CVSS 6.5) | This improper access control vulner | cvebase.io