Vulnerability Management, Identity

Patched Zendesk Explore bugs detailed

Threat actors could exploit already-addressed Zendesk Explore vulnerabilities to achieve unauthorized access to customer account information, according to The Hacker News. However, there has been no indication of any active exploitation of the flaws impacting the reporting and analytics solution, a report from Varonis revealed. Attackers registered as a new external user of the victim's Zendesk account could leverage the first bug involving GraphQL API SQL injection to enable the exfiltration of tickets, email addresses, live agent conversations, and other data stored as an admin user. Meanwhile, the other vulnerability related to a query execution API-related logic access concern that involved inadequate checking of user permissions. "This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account's RDS, no SQLi required," said Varonis, which noted that both flaws have been addressed on Sept. 8, a little over a week after it reported the bugs to Zendesk.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.