Ruby Help Desk < 1.3.4 – Subscriber+ Ticket Update via IDOR | CVE 2023-1125 | Plugin Vulnerabilities

Description

The plugin does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.

Proof of Concept

1. Create a ticket using a user with Subscriber privileges.
2. Click on "Close Ticket" and intercept the request using an HTTP Proxy (e.g., BurpSuite). 
3. Change the value of the "post_ID" parameter to another existing Ticket ID.

Note: Since the Ticket ID (post_ID) is an incremental numerical value, it is easy to brute force it and affect all existing tickets.

Affects Plugins

Fixed in 1.3.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ameen Alkurdy

Submitter

Ameen Alkurdy

Submitter website

https://ameenalkurdy.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

e8a4b6ab-47f8-495d-a22c-dcf914dfb58c

Timeline

Publicly Published

2023-04-10 (about 1 years ago)

Added

2023-04-10 (about 1 years ago)

Last Updated

2023-04-10 (about 1 years ago)

Other

Published

Title

Published

2023-09-12

Title

wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2022-10-28

Title

Comments - wpDiscuz 7.4.2 - Subscriber+ IDOR

Published

2023-07-07

Title

Getnet Argentina para Woocommerce < 0.0.5 - Unauthenticated Authorization Bypass

Published

2021-03-31

Title

Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR