VYPR
← All advisories
Moderate severityNVD Advisory· Published May 31, 2025· Updated Jun 2, 2025

CVE-2018-25111

CVE-2018-25111

Description

django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

django-helpdesk before 1.0.0 uses os.umask(0), causing sensitive ticket data exposure via world-readable attachment directories.

Vulnerability

Analysis

CVE-2018-25111 describes a sensitive data exposure vulnerability in django-helpdesk, a Django-based ticket tracker for internal help desks [1]. The root cause is the use of os.umask(0) within the models.py file, which disables the default file permission mask. This results in newly created directories and files—specifically those intended to store helpdesk ticket attachments—being created with overly permissive modes, often resulting in world-readable (e.g., 0777) permissions [2].

Attack

Surface & Exploitation

No authentication or specialized privileges are required to exploit the misconfiguration; any local user or process on the same filesystem can read the exposed directories. The vulnerability is triggered during normal operation whenever the application creates the attachment storage directory. While the immediate attack surface is local filesystem access, the exposure of attachment contents can leak sensitive information contained within support tickets, such as user data, internal communications, or confidential files [2].

Impact & Mitigation

An attacker with local access can read all ticket attachments, leading to unauthorized disclosure of sensitive data. The issue is fixed in django-helpdesk version 1.0.0, which removes the problematic os.umask(0) call and sets secure default permissions for attachment directories [1][2]. Administrators are strongly advised to upgrade to 1.0.0 or later; users on earlier versions should update immediately to prevent ongoing exposure. This vulnerability has been tracked in the Python advisory database (PYSEC-2025-44) [4].

References
  1. GitHub - django-helpdesk/django-helpdesk: A Django application to manage tickets for an internal helpdesk. Formerly known as Jutda Helpdesk.
  2. Avoiding mode `0777` for attachments dirs
  3. advisory-database/vulns/django-helpdesk/PYSEC-2025-44.yaml at main · pypa/advisory-database

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
django-helpdeskPyPI
< 1.0.01.0.0

Affected products

2

Patches

1
f872ec252769

Merge pull request #1120 from fazledyn-or/Fix_File_Permission_777

https://github.com/django-helpdesk/django-helpdeskChristopher BroderickOct 13, 2023via ghsa
commit
2 files changed · +10 4
  • helpdesk/models.py+2 4 modified
    @@ -1137,15 +1137,14 @@ class FollowUpAttachment(Attachment):
 
     def attachment_path(self, filename):
 
-        os.umask(0)
         path = 'helpdesk/attachments/{ticket_for_url}-{secret_key}/{id_}'.format(
             ticket_for_url=self.followup.ticket.ticket_for_url,
             secret_key=self.followup.ticket.secret_key,
             id_=self.followup.id)
         att_path = os.path.join(settings.MEDIA_ROOT, path)
         if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
             if not os.path.exists(att_path):
-                os.makedirs(att_path, 0o777)
+                os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
         return os.path.join(path, filename)
 
 
@@ -1159,14 +1158,13 @@ class KBIAttachment(Attachment):
 
     def attachment_path(self, filename):
 
-        os.umask(0)
         path = 'helpdesk/attachments/kb/{category}/{kbi}'.format(
             category=self.kbitem.category,
             kbi=self.kbitem.id)
         att_path = os.path.join(settings.MEDIA_ROOT, path)
         if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
             if not os.path.exists(att_path):
-                os.makedirs(att_path, 0o777)
+                os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
         return os.path.join(path, filename)
  • helpdesk/settings.py+8 0 modified
    @@ -265,3 +265,11 @@
 
 # Set Debug Logging Level for IMAP Services. Default to '0' for No Debugging
 HELPDESK_IMAP_DEBUG_LEVEL = getattr(settings, 'HELPDESK_IMAP_DEBUG_LEVEL', 0)
+
+#############################################
+# file permissions - Attachment directories #
+#############################################
+
+# Attachment directories should be created with permission 755 (rwxr-xr-x)
+# Override it in your own Django settings.py
+HELPDESK_ATTACHMENT_DIR_PERMS = int(getattr(settings, 'HELPDESK_ATTACHMENT_DIR_PERMS', "755"), 8)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.