An SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information, data security firm Varonis reports. Zendesk, a well-known provider of customer support software as a service, offers analytics and reporting through its Zendesk Explore service.
Two vulnerabilities in Zendesk Explore, according to Varonis, could have given an attacker access to conversations, comments, email addresses, tickets, and other data kept in Zendesk accounts with Explore turned on. However, the two problems were brought to Zendesk’s attention and fixed before they had any effect on customer data.
An attacker wishing to take advantage of these vulnerabilities would need to first sign up as an external user for the Zendesk account of the intended victim’s ticketing service.