Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain · CVE-2021-30492 · GitHub Advisory Database · GitHub

Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain

Critical severity GitHub Reviewed Published Apr 28, 2021 in zendesk/zendesk_api_client_php • Updated Jan 9, 2023

Package

zendesk/zendesk_api_client_php (Composer)

Affected versions

< 2.2.11

Patched versions

2.2.11

Description

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in:

getAuthUrl
getAccessToken

References

thekindofme published to zendesk/zendesk_api_client_php

Apr 28, 2021

Reviewed Apr 28, 2021

Published to the GitHub Advisory Database Apr 29, 2021

Last updated Jan 9, 2023