Threat actors could exploit already-addressed Zendesk Explore vulnerabilities to achieve unauthorized access to customer account information, according to The Hacker News
However, there has been no indication of any active exploitation of the flaws impacting the reporting and analytics solution, a report from Varonis revealed. Attackers registered as a new external user of the victim's Zendesk account could leverage the first bug involving GraphQL API SQL injection
to enable the exfiltration of tickets, email addresses, live agent conversations, and other data stored as an admin user.
Meanwhile, the other vulnerability related to a query execution API-related logic access concern that involved inadequate checking of user permissions.
"This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account's RDS, no SQLi required," said Varonis, which noted that both flaws have been addressed on Sept. 8, a little over a week after it reported the bugs to Zendesk.