Arbitrary Push Notification with URL Redirection Vulnerability in LIVEBOX Collaboration vDesk

Arbitrary Push Notification with URL Redirection Vulnerability in LIVEBOX Collaboration vDesk

CVE-2022-45169 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link.

Learn more about our Api Penetration Testing.