Ruby Help Desk < 1.3.4 – Subscriber+ Ticket Update via IDOR | CVE 2023-1125 | Plugin Vulnerabilities

Description

The plugin does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.

Proof of Concept

1. Create a ticket using a user with Subscriber privileges.
2. Click on "Close Ticket" and intercept the request using an HTTP Proxy (e.g., BurpSuite). 
3. Change the value of the "post_ID" parameter to another existing Ticket ID.

Note: Since the Ticket ID (post_ID) is an incremental numerical value, it is easy to brute force it and affect all existing tickets.

Affects Plugins

Fixed in 1.3.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ameen Alkurdy

Submitter

Ameen Alkurdy

Submitter website

https://ameenalkurdy.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

e8a4b6ab-47f8-495d-a22c-dcf914dfb58c

Timeline

Publicly Published

2023-04-10 (about 2 years ago)

Added

2023-04-10 (about 2 years ago)

Last Updated

2023-04-10 (about 2 years ago)

Other

Published

Title

Published

2024-05-15

Title

BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

Published

2025-04-17

Title

Avatar <= 0.1.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-09-04

Title

Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

Published

2023-06-12

Title

Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API

Published

2024-03-26

Title

Event Tickets and Registration < 5.8.3 - Improper Authorization to Information Disclosure