Critical severity9.9NVD Advisory· Published Nov 9, 2023· Updated Jun 17, 2026
CVE-2021-43609
CVE-2021-43609
Description
An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Spiceworks/Help Desk Serverdescription
- Range: <1.3.3
Patches
Vulnerability mechanics
References
2- www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwenvdExploitThird Party Advisory
- community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3nvdRelease Notes
News mentions
0No linked articles in our index yet.