CVE-2023-53935

Vulnerability

Overview

WBiz Desk 1.2 contains a SQL injection vulnerability in the ticket.php endpoint. The tk parameter is not properly sanitized, allowing an authenticated non-admin user to inject arbitrary SQL commands. The official description and advisory confirm that UNION-based injection techniques can be used to manipulate database queries [1][2].

Exploitation

An attacker with a standard user account can send a crafted request to /ticket.php?tk=[payload]. A proof-of-concept exploit demonstrates appending a UNION SELECT statement to the tk parameter value, which returns the results of the injected query alongside legitimate data [3]. No special privileges beyond a normal user login are required, and the attack is performed over the network [2].

Impact

Successful exploitation allows the attacker to extract sensitive information from the underlying database. The CVSS v3.1 vector indicates low impact to confidentiality and integrity, with no impact on availability [3]. The vulnerability is classified under the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) [3].

Mitigation

As of the publication date, no patch has been released for WBiz Desk 1.2. The vendor page lists the product as available for purchase, but no update addressing this vulnerability has been identified [1]. Users should consider restricting access to the ticket endpoint or migrating to an alternative help desk solution until a fix is provided.