Security ID : NAS-201808-13
Security Advisory for Command Injection Vulnerability in Helpdesk
Release date : August 13, 2018
CVE identifier : CVE-2018-0714
Affected products: Helpdesk versions 1.1.21 and earlier in
QTS 4.2.6: build 20180531
QTS 4.3.3: build 20180528
QTS 4.3.4: build 20180528 and earlier versions
Severity
Important
Status
Resolved
Summary
A command injection vulnerability was recently found in Helpdesk. If exploited, this vulnerability could allow remote attackers to run arbitrary commands in the compromised application.
We have already fixed this issue in Helpdesk version 1.2 and later in the following QTS versions.
- QTS 4.2.6: build 20180711 and later
- QTS 4.3.3: build 20180716 and later
- QTS 4.3.4: build 20180710 and later
Recommendation
To fix these vulnerabilities, we recommend updating QTS first, and then Helpdesk, to their latest versions.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Updating Helpdesk
- Log on to QTS as administrator.
- Open the App Center, and then click the Search icon.
A search box appears. - Type “Helpdesk”, and then press ENTER.
The Helpdesk application appears in the search results list. - Click Update.
A confirmation message appears. - Click OK.
The application is updated.
Acknowledgements: Yoni Ramon, security researcher
Revision History: V1.0 (August 13, 2018) - Published
