I have discovered a vulnerability in UVdesk's API related to the management of API keys. Specifically, once an API key is generated, it continues to allow ticket creation and other transactions without proper validation, even if the key is changed or altered.
To verify this, I tested the API by replacing the original API key with random, altered characters (i.e., gibberish or garbage). Despite using an altered key, the API calls still succeeded. This behavior suggests a critical validation issue that could enable unauthorized access.
I reported this issue to UVdesk support at support@uvdesk.com. The email ticket number is #33835. However, I have not received any response or acknowledgment, despite follow-up attempts.
Steps to Reproduce
Generate a new API key in UVdesk.
Use the API key to create a ticket via curl or similar method.
Change the API key to an altered key or even replace it with random characters.
Attempt to create another ticket using the modified or incorrect key.
Expected Behavior
The API should reject requests with an invalid or altered API key.
Actual Behavior
Requests continue to succeed even after the API key has been altered or changed.
Recommendations
Implement stricter validation of API keys to ensure that only the current, valid key is accepted for transactions.
Critical API Key Vulnerability in UVdesk
Description
I have discovered a vulnerability in UVdesk's API related to the management of API keys. Specifically, once an API key is generated, it continues to allow ticket creation and other transactions without proper validation, even if the key is changed or altered.
To verify this, I tested the API by replacing the original API key with random, altered characters (i.e., gibberish or garbage). Despite using an altered key, the API calls still succeeded. This behavior suggests a critical validation issue that could enable unauthorized access.
I reported this issue to UVdesk support at support@uvdesk.com. The email ticket number is #33835. However, I have not received any response or acknowledgment, despite follow-up attempts.
Steps to Reproduce
curlor similar method.Expected Behavior
The API should reject requests with an invalid or altered API key.
Actual Behavior
Requests continue to succeed even after the API key has been altered or changed.
Recommendations
Implement stricter validation of API keys to ensure that only the current, valid key is accepted for transactions.