CVE-2020-15487
Re:Desk 2.3 contains a blind unauthenticated SQL injection in getBaseCriteria() (protected/models/Ticket.php). By altering the folder GET parameter in a crafted URL, arbitrary SQL can be executed, enabling unauthenticated remote command execution via a bizRule eval() in yii/framework/web/auth/CAu...