Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service

2022-11-15 13:49

Cybersecurity researchers have disclosed details of now-patched flaws in Zendesk Explore that could have been exploited by an attacker to gain unauthorized access to information from customer accounts that have the feature turned on.

"Before it was patched, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled," Varonis said in a report shared with The Hacker News.

Zendesk Explore is a reporting and analytics solution that allows organizations to "View and analyze key information about your customers, and your support resources."

According to the security software company, exploitation of the shortcoming first requires an attacker to register for the ticketing service of its victim's Zendesk account as a new external user, a feature that's likely enabled by default to allow end-users to submit support tickets.

A second flaw concerns a logic access issue associated with a query execution API, which was configured to run the queries without checking if the "User" making the call had adequate permission to do so.

Varonis said the issues were disclosed to Zendesk on August 30, following which the weaknesses were rectified by the company on September 8, 2022.

News URL

https://thehackernews.com/2022/11/researchers-reported-critical-sqli-and.html

#analytics #critical #researcher