Cybersecurity researchers have disclosed details of flaws in Zendesk Explore which when exploited by an attacker could let unauthorized access to information from customer accounts that have the feature turned on.
The flaw which has been patched now would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled.
The cybersecurity firm Varonis said there was no evidence to suggest that the issues were actively exploited in real-world attacks and so no action is required from the customers.
Zendesk Explore is a reporting and analytics solution that allows organizations to “view and analyze key information about your customers, and your support resources.”
On exploitation of the shortcoming first requires an attacker to register for the ticketing service of its victim’s Zendesk account as a new external user, a feature which is enabled by default to allow end-users to submit support tickets.
The vulnerability relates to an SQL injection in its GraphQL API that could be abused to exfiltrate all information stored in the database as an admin user, including email addresses, tickets, and conversations with live agents.
A second flaw is a logic access issue associated with a query execution API, which was configured to run the queries without checking if the “user” making the call had adequate permission to do so.
So a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required.
The issues were disclosed to Zendesk on August 30, and it was patched by the company on September 8, 2022.