Publish Date: Mar. 15, 2019
SummaryWe've identified a vulnerability in the Spiceworks Inventory online that would allow an attacker to access victim’s PII, agent info, secret key, related help desk tickets, etc. after a victim clicks a malicious link.
Who’s Affected?At this time, we do not believe anyone was affected by this vulnerability.
DetailsAn attacker could take advantage of a misconfiguration in the CORS (Cross-Origin Resource Sharing) implementation within Inventory online to gain access to a victim’s inventory information. The victim would need to be coerced into clicking a link to go to a page on the attacker’s domain that was set up in a specific way to redirect back to the victim’s Inventory address and change the origin value in the CORS implementation. The attacker could then gain access to the user’s information...