Cloud Help Desk User Portal Ticket Creation Vulnerability
Publish Date: Dec. 14, 2018 Summary We've identified and fixed a vulnerability within the Spiceworks Cloud Help Desk User Portal that would allow an attacker to spam the victim’s help desk with tickets...
View ArticleSpiceworks Sub-domain TRACE Vulnerability
Publish Date: Jan. 11, 2019 Summary We've identified and fixed a vulnerability within a Spiceworks sub-domain that, when used alongside other potential vulnerabilities, could allow an attacker to steal...
View ArticleCommunity Country PII Vulnerability
Publish Date: Feb. 1, 2019 Summary We've identified and fixed a vulnerability in the Spiceworks Community that would allow an attacker to determine the country of a user, even if that user had chosen...
View ArticleCommunity Login URL Referer Reflected XSS Vulnerability
Publish Date: Feb. 21, 2019 Summary We've identified and fixed an issue with the login URL of Spiceworks Community that could present a reflected cross-site scripting (XSS) vulnerability. This involves...
View ArticleInventory Online Device Information Vulnerability
Publish Date: Mar. 15, 2019 Summary We've identified a vulnerability in the Spiceworks Inventory online that would allow an attacker to access victim’s PII, agent info, secret key, related help desk...
View ArticleCloud Help Desk Ruby on Rails Update
Publish Date: Mar. 29, 2019 Summary We've updated the Ruby on Rails version used by the Spiceworks Cloud Help Desk in order to patch a security vulnerability. Who’s Affected? At this time, we do not...
View ArticleCommunity Invitation URL Vulnerability
Publish Date: Apr. 19, 2019 Summary We've identified and fixed a vulnerability in the Spiceworks Community that would allow an attacker to download a CSV file containing some user names and associated...
View ArticleCloud Help Desk Browser Cache Vulnerability
Publish Date: May 9, 2019 Summary We've identified a vulnerability in the Spiceworks Cloud Help Desk that would allow an attacker with access to a victim’s computer to utilize the browser’s cache to...
View ArticleCommunity Join URL Referer Reflected XSS Vulnerability
Publish Date: May 24, 2019 Summary We've identified and fixed an issue with the join URL for the Spiceworks Community that could present a reflected cross-site scripting (XSS) vulnerability. This...
View ArticleCommunity Profile Job Experience Stored XSS Vulnerability
Publish Date: June 14, 2019 Summary We've identified and fixed an issue with the Job Experience tab of the Spiceworks Community profile that could present a stored cross-site scripting (XSS)...
View ArticleSpiceworks Website WordPress Publisher Vulnerability
Publish Date: July 12, 2019 Summary We've identified a vulnerability in the Spiceworks WWW site that would allow an attacker to view the names of people who have published articles through WordPress on...
View ArticlePassword Reset Rate Limit Vulnerability
Publish Date: July 12, 2019 Summary We've identified a vulnerability in Spiceworks account password reset mechanism. The “current password” field was lacking a rate limiter, allowing an attacker to...
View ArticleNetwork Monitor Privilege Escalation Vulnerability
Publish Date: January 17, 2020Summary Malicious users with login access to the Network Monitor host machine can write malicious files on the system potentially allowing the user to perform an attack...
View ArticleDesktop Host Header Injection vulnerability
Publish Date: March 4, 2021SummaryA Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to an...
View ArticleCloud Help Desk & Inventory online integration authorization vulnerability
Publish Date: Mar. 8, 2021Summary We've identified a bug in the Spiceworks Inventory online and Cloud Help Desk products that would allow a user of the Inventory online product to access limited...
View ArticleHelp Desk Server: Elasticsearch log4j vulnerability
Note: See this post for our latest updates to the broader evolving log4j2 vulnerability situation.--Publish Date: Dec. 14, 2021SummaryWe're investigating the log4j vulnerability and potential impacts...
View ArticleCloud Help Desk & Community Elasticsearch log4j vulnerability
Note: Also see this post for our latest updates to the broader evolving log4j2 vulnerability situation.--Publish Date: Dec. 17, 2021SummaryWe have investigated the log4j vulnerability, and have taken...
View ArticleCloud Help Desk erroneously CC'd email addresses
Publish Date: Aug 10, 2022SummaryWe were made aware of an issue in the Spiceworks Cloud Help Desk (CHD) in which, when a certain set of actions were taken, recipients within your organization could be...
View ArticleCommunity & Cloud Help Desk XSS vulnerabilities
Publish Date: Aug 30, 2022SummaryWe've identified and fixed multiple issues in Cloud Help Desk and Community that could present a stored cross-site scripting (XSS) vulnerability. Areas with...
View ArticleCloud Help Desk XSS and HTML injection vulnerabilities
Publish Date: Sept 8, 2022SummaryWe've identified and fixed multiple issues in Cloud Help Desk. One that could present a stored cross-site scripting (XSS) vulnerability and one HTML injection...
View Article