Threat actors could exploit already-addressed Zendesk Explore vulnerabilities to achieve unauthorized access to customer account information, according to The Hacker News.
However, there has been no indication of any active exploitation of the flaws impacting the reporting and analytics solution, a report from Varonis revealed. Attackers registered as a new external user of the victim's Zendesk account could leverage the first bug involving GraphQL API SQL injection to enable the exfiltration of tickets, email addresses, live agent conversations, and other data stored as an admin user.
Meanwhile, the other vulnerability related to a query execution API-related logic access concern that involved inadequate checking of user permissions.
"This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account's RDS, no SQLi required," said Varonis, which noted that both flaws have been addressed on Sept. 8, a little over a week after it reported the bugs to Zendesk.
Vulnerability Management, Identity
Patched Zendesk Explore bugs detailed
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds