CVE-2020-2500
CRITICALQNAP Helpdesk < 3.0.1 - Improper Access Control via API Key Exposure
Title source: llmDescription
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.qnap.com/zh-tw/security-advisory/qsa-20-03
Scores
CVSS v3
9.8
EPSS
0.0026
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-321
CWE-798
Status
published
Products (1)
qnap/helpdesk
< 3.0.1
Published
Jul 01, 2020
Tracked Since
Feb 18, 2026