CVE-2020-26546

Vulnerability

HelpDeskZ version 1.0.2 contains an SQL injection vulnerability in the auto-login functionality (RememberMe). The feature does not properly sanitize user-supplied input before using it in a database query, enabling an attacker to inject arbitrary SQL commands. The vulnerability is present in the code handling the RememberMe cookie or token validation [2].

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted HTTP request that includes malicious SQL payloads via the RememberMe parameter. No special network position is required; the attack can be performed remotely over the network. The CVSS vector indicates low attack complexity and no user interaction needed [2].

Impact

Successful exploitation allows an attacker to retrieve sensitive information from the database, such as user credentials or other confidential data. The CVSS score of 7.5 (High) reflects a confidentiality impact of HIGH, with no impact on integrity or availability [2]. The attack does not require privileges, but the product is no longer supported by the maintainer, increasing the risk for users.

Mitigation

As of the advisory publication, there is no known fix for this vulnerability. The vendor was contacted but has not provided a patch [2]. Since HelpDeskZ 1.0.2 is end-of-life and no longer supported, users are advised to migrate to an alternative solution or implement additional security controls such as Web Application Firewalls to mitigate exploitation.