Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076)

Security Advisory Summary

It is possible to access “Web Help Desk Getting Started Wizard” specially in admin account creation page from non-privileged IP range or loopback by interception of the HTTP request and change the referrer from the public IP to the loopback "http://127.0.0.1:8081".

Affected Products

  • Web Help Desk 12.7.2 and earlier

Fixed Software Release

Acknowledgments

  • Moaaz Taha
Advisory Details
Severity
Medium
Advisory ID

CVE-2021-32076

First Published
08/20/2021
Version

Web Help Desk 12.7.6

CVSS Score

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:
C/C:N/I:N/A:L

Download PDF
Send an Email