Publish Date: Dec. 14, 2018
SummaryWe've identified and fixed a vulnerability within the Spiceworks Cloud Help Desk User Portal that would allow an attacker to spam the victim’s help desk with tickets even if the user portal is disabled.
Who’s Affected?At this time we do not believe anyone was impacted by this vulnerability.
DetailsThe Spiceworks Cloud Help Desk uses session cookies to temporarily save information for users while they use the product. One particular session cookie did not have a “Secure” flag set. This flag would tell the browser that the cookie can only be accessed over SSL, which protects the user’s information from attackers. The information in the cookie would be transmitted in clear-text if the victim were to view an HTTP URL.
Mitigating FactorsIn order to use this vulnerability, an attacker would have to be...