### Key Information #### Vulnerability Overview - **Vulnerability Name**: Deserialization vulnerability in Tendenci Helpdesk module - **CVE ID**: CVE-2026-23946 - **GitHub Advisory ID**: GHSA-339m-4qw5-j2g3 #### Affected Versions - **Affected Versions**: 15.3.11 and earlier - **Fixed Version**: 15.3.12 #### Vulnerability Details - **Severity**: Medium (CVSS v3 base metrics: 6.8/10) - **CVE Association**: - CVE-2020-14942 (original deserialization vulnerability, partially patched) - **Component**: tendenci/apps/helpdesk/views/staff.py - **Key Finding**: The original CVE-2020-14942 patch was incomplete. While `ticket_list()` was fixed to use secure JSON deserialization, `run_report()` still uses insecure `pickle.loads()` - **Impact Scope**: Limited to the permissions of the user running the application, typically www-data, generally lacking write (except upload directories) and execute permissions #### Tendenci User Role Hierarchy | Level | Role | Description | |-------|--------------------|----------------------------------------------| | 0 | is_superuser | Highest privilege - full Django admin | | 1 | is_staff | Users with Staff security level - can access helpdesk module | | 2 | Authenticated User | Basic user access | | 3 | Anonymous User | Public read-only access | #### Code Comparison (Patched vs Vulnerable) | Function | Line | Deserialization | Status | |----------------|------|-----------------------|--------------| | ticket_list() | 763 | `simplejson.loads()` | SAFE | | run_report() | 1062 | `pickle.loads()` | VULNERABLE | #### Mitigation - Upgrade Tendenci to the latest version (v15.3.12) to fix the vulnerability