Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability
(CVE-2021-32076)
Security Advisory Summary
It is possible to access “Web Help Desk Getting Started Wizard” specially in admin account creation page from non-privileged IP range or loopback by interception of the HTTP request and change the referrer from the public IP to the loopback "http://127.0.0.1:8081".
Affected Products
- Web Help Desk 12.7.2 and earlier
Fixed Software Release
Acknowledgments
- Moaaz Taha
Advisory Details
Severity
5.8 Medium
Advisory ID
First Published
08/20/2021
Version
Web Help Desk 12.7.6