The Outpost24 team has discovered several vulnerabilities in the Joomla HelpDesk Pro extension, which can potentially lead to remote code execution on servers and open them to “a wide variety of attack types.”
The flaws are very common in web applications with vulnerabilities that include cross-site scripting, direct object references, SQL injection, local file injection, path traversal, and arbitrary file upload.
Exploits work for Joomla HelpDesk Pro version 1.3.0, however no tests are reported to have been done on earlier versions. “All versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.”
All of the attacks have the potential to cause serious harm. Effects range from disclosure of potentially sensitive data to complete server takeover. Outpost24 strongly recommends users to upgrade their version of HelpDesk Pro to version 1.4.0 or later.