A week after SolarWinds released a fix for a critical code-injection-to-RCE vulnerability (CVE-2024-28986) in Web Help Desk (WHD), another patch for another critical flaw (CVE-2024-28987) in the company’s IT help desk solution has been pushed out.
CVE-2024-28987
CVE-2024-28987 stems from Web Help Desk having hardcoded credentials that can be misused by remote unauthenticated users to access internal functionality and modify data.
The vulnerability was reported by Horizon3.ai vulnerability researcher Zach Hanley, after after digging into CVE-2024-28986, which – according to the US Cybersecurity and Infrastructure Security Agency – is being actively exploited by attackers.
Web Help Desk 12.8.3 Hotfix 2 – the fix that addresses CVE-2024-28987 – also includes the fixes from the previous hotfix (for CVE-2024-28986), more patterns to fix an SSO issue, and solves a bug that stripped the Upload Attachments, Cancel, and Save buttons from the client application.
Admins are advised to implement the latest hotfix as soon as possible. Instructions on how to do it – as some manual tweaking is required – are included in the knowledge base article.
Requests to non-existent pages on vulnerable instances return the default login page, Hanley explained. “Patched instances will return no content / content-length 0.”