Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability 

(CVE-2021-32076)

Security Advisory Summary

It is possible to access “Web Help Desk Getting Started Wizard” specially in admin account creation page from non-privileged IP range or loopback by interception of the HTTP request and change the referrer from the public IP to the loopback "http://127.0.0.1:8081".

Affected Products

  • Web Help Desk 12.7.2 and earlier

Fixed Software Release

Acknowledgments

  • Moaaz Taha

Advisory Details

Severity

5.8 Medium

Advisory ID

First Published

08/20/2021

Version

Web Help Desk 12.7.6