Improper Privilege Management in uvdesk/core-framework
Jul 19th 2021
privilege escalation bug to pin a threads
🕵️♂️ Proof of Concept
1. Frist from admin account goto
http://localhost/uvdesk/public/en/member/agents and add new user called
user B with
Agent role .
Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket etc .
Also gives bellow permission
Ticket View--->Individual Access
So, here user-B can access only ticket that is assigned to him .
2. Now admin create a new ticket and the ticketing url will be like http://localhost/uvdesk/public/en/member/ticket/view/1 .
Dont assign this ticket to user B .
So, user B should not seee this ticket.\
3. Now goto user B account and here user B cant see above ticket using url http://localhost/uvdesk/public/en/member/ticket/view/1 .
user B get permission denied .
Finally user-B sent bellow request to pin a threads
Here in this url change ticket-id and thread-id and forward the request and see threads is pinned by user-B who does not have permission .
privilege escalation bug to pin threads .