Security Affairs
Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack|TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack|TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts revealed details of critical SQLi and access issues in Zendesk Explore

Researchers disclosed technical details of critical SQLi and access vulnerabilities in the Zendesk Explore Service. Cybersecurity researchers at Varonis disclosed technical details of critical SQLi and access vulnerabilities impacting the Zendesk Explore service. Zendesk Explore allows organizations to view and analyze key information about their customers, and their support resources. Threat actors would have allowed […]

Zendesk Explore

Researchers disclosed technical details of critical SQLi and access vulnerabilities in the Zendesk Explore Service.

Cybersecurity researchers at Varonis disclosed technical details of critical SQLi and access vulnerabilities impacting the Zendesk Explore service. Zendesk Explore allows organizations to view and analyze key information about their customers, and their support resources.

Threat actors would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts having the Explore service enabled. The experts are not aware of attacks in the wild.

“To exploit the vulnerability, an attacker would first register for the ticketing service of its victim’s Zendesk account as a new external user. Registration is enabled by default because many Zendesk customers rely on end-users submitting support tickets directly via the web.” reads the advisory published by Varonis. “Zendesk Explore is not enabled by default but is heavily advertised as a requirement for the analytic insights page.”

Varonis reported the flaws to Zendesk which started working on a fix the same day they were reported. The company addressed multiple vulnerabilities in less than one workweek.

In order to exploit these flaws, an attacker has to register for the ticketing service of the target’s Zendesk account as a new external user. The experts highlighted that this is a feature that’s likely enabled by default to allow end-users to submit support tickets.

The SQL injection vulnerability resides in the GraphQL API execute-query, an attacker can abuse it to exfiltrate all information (email addresses of users, leads, and deals from the CRM, live agent conversations, tickets, help center articles, and more) stored in the database as an admin user.

Zendesk Explore

The second critical issue is a logic access flaw associated with a query execution API. The researchers pointed out that the execute-query API did not perform the following logical checks:

  1. The integrity of documents was not checked, allowing our team to modify them in ways that exposed the inner workings of the system.
  2. “query,” “datasources,” and “cubeModels” IDs were not evaluated to see if they belonged to the current user.
  3. Finally, and most critically, the API endpoint did not verify that the caller had permission to access the database and execute queries. This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required.

Varonis reported the issues to Zendesk on August 30 and the company addressed it on September 8, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zendesk Explore)

[adrotate banner=”5″]

[adrotate banner=”13″]