Cybersecurity researchers have disclosed particulars of now-patched flaws in Zendesk Discover that would have been exploited by an attacker to realize unauthorized entry to data from buyer accounts which have the characteristic turned on.
“Earlier than it was patched, the flaw would have allowed menace actors to entry conversations, e-mail addresses, tickets, feedback, and different data from Zendesk accounts with Discover enabled,” Varonis stated in a report shared with The Hacker Information.
The cybersecurity agency stated there was no proof to recommend that the problems have been actively exploited in real-world assaults. No motion is required on the a part of the shoppers.
Zendesk Discover is a reporting and analytics answer that enables organizations to “view and analyze key details about your clients, and your help assets.”
Based on the safety software program firm, exploitation of the shortcoming first requires an attacker to register for the ticketing service of its sufferer’s Zendesk account as a brand new exterior consumer, a characteristic that is probably enabled by default to permit end-users to submit help tickets.
The vulnerability pertains to an SQL injection in its GraphQL API that might be abused to exfiltrate all data saved within the database as an admin consumer, together with e-mail addresses, tickets, and conversations with dwell brokers.
A second flaw issues a logic entry situation related to a question execution API, which was configured to run the queries with out checking if the “consumer” making the decision had sufficient permission to take action.
“This meant {that a} newly created end-user might invoke this API, change the question, and steal knowledge from any desk within the goal Zendesk account’s RDS, no SQLi required,”
Varonis stated the problems have been disclosed to Zendesk on August 30, following which the weaknesses have been rectified by the corporate on September 8, 2022.
