uvdesk / api-bundle

API Integration for UVdesk Community Helpdesk System.
Open Software License 3.0
17 stars 15 forks source link

Critical API Key Vulnerability in UVdesk #77

Open manoonabbasi opened 1 month ago

manoonabbasi commented 1 month ago

Critical API Key Vulnerability in UVdesk

Description

I have discovered a vulnerability in UVdesk's API related to the management of API keys. Specifically, once an API key is generated, it continues to allow ticket creation and other transactions without proper validation, even if the key is changed or altered.

To verify this, I tested the API by replacing the original API key with random, altered characters (i.e., gibberish or garbage). Despite using an altered key, the API calls still succeeded. This behavior suggests a critical validation issue that could enable unauthorized access.

I reported this issue to UVdesk support at support@uvdesk.com. The email ticket number is #33835. However, I have not received any response or acknowledgment, despite follow-up attempts.

Steps to Reproduce

  1. Generate a new API key in UVdesk.
  2. Use the API key to create a ticket via curl or similar method.
  3. Change the API key to an altered key or even replace it with random characters.
  4. Attempt to create another ticket using the modified or incorrect key.

Expected Behavior

The API should reject requests with an invalid or altered API key.

Actual Behavior

Requests continue to succeed even after the API key has been altered or changed.

Recommendations

Implement stricter validation of API keys to ensure that only the current, valid key is accepted for transactions.

papnoisanjeev commented 1 week ago

@manoonabbasi

image

Changed value of authenticated API key and getting. "status": false, "message": "An authentication exception occurred.", "error_code": "CC-005"