vendor:
Faveo Helpdesk
by:
@rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
8,3
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Faveo Helpdesk
Affected Version From: Community 1.9.3
Affected Version To: Community 1.9.3
Patch Exists: YES
Related CWE: 2017-7571
CPE: a:faveo_helpdesk:faveo_helpdesk:1.9.3
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows Server 2012 Datacenter Evaluation
2017
CSRF / Privilege Escalation (Manipulation of Role Agent to Admin) on Faveo version Community 1.9.3
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. We found that Faveo have CSRF vulnerability that can be used to manipulate role agent to admin.
Mitigation:
The vendor has released a patch to address this vulnerability.
