After auditing the security of Helpdesk Software solution Deskpro in accordance with the company's Responsible Disclosure Bug Bounty Program, the Checkmarx Security Research Team discovered a severe cross-site scripting (XSS) issue that can be exploited multiple ways. 

Deskpro is a multichannel helpdesk software solution that helps thousands of organizations manage their customer communications and userbase across multiple channels, including email, live, chat, voice and social media, and can be deployed on the organization's own server infrastructure or via public or private cloud services.

According to the researchers, successful exploitation of the discovered XSS vulnerability could have allowed attackers to hijack the sessions of admins and takeover the accounts of helpdesk agents. This would give the attackers the same privileges as admins and agents in terms of what they can execute, or the information they are exposed to. In certain cases, attackers would have been able to reset the helpdesk, wiping all system data.

This issue was found in Deskpro version 2020.2.9, running in a docker container using the official Deskpro docker image. 

After discovering and validating the vulnerability, the researchers notified Deskpro of the findings and worked with them throughout the remediation process until they informed the researchers everything was appropriately patched. 

Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, says, "This story of this vulnerability is proving again that there is no such thing as an error-free code. Deskpro was quick in reacting to Checkmarx and in fixing the issue, while asking for a 90 day hold period was reasonable to get the majority of installations patched. As usual, attacker will find those who haven’t heard the call. It is also a reason why the essential controls everyone should have in place are called ‘essential’. Controlling all changes to your environment ensures detection of unwanted change, and scanning for vulnerabilities on a regular base with an up-to-date scanner ensures that – should the call for patching have been missed – another alarm is raised.”

"Exploitable software vulnerabilities will inevitably occur, and when they do some adversaries may be in a position to take advantage of them – it’s just the nature of the beast, and it’s incumbent on organizations to plan for this eventuality," says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers.

For detailed findings, please visit https://www.checkmarx.com/blog/assistance-required-xss-vulnerability-discovered-in-helpdesk-software-solution-deskpro/