Plattform
php
Komponente
vision-helpdesk
Behoben in
5.6.10
CVE-2024-58343 is a vulnerability affecting Vision Helpdesk versions from 0.0.0 through 5.6.10. It allows attackers to read user profiles by exploiting insecure deserialization of the visclientid cookie. Successful exploitation could lead to unauthorized access to sensitive user information. A patch is available in version 5.6.10.
This vulnerability arises from the insecure handling of serialized data within the visclientid cookie. An attacker can craft a malicious cookie payload that, when accepted by Vision Helpdesk, allows them to extract information from user profiles. The extent of data accessible depends on the information stored within those profiles, potentially including names, email addresses, support ticket history, and other sensitive details. While direct remote code execution is unlikely, the exposure of user data represents a significant privacy breach and could be leveraged for social engineering or further attacks. The impact is amplified if the Vision Helpdesk instance handles sensitive customer data or is integrated with other critical systems.
This CVE was published on 2026-04-16. There are currently no publicly available proof-of-concept exploits. The vulnerability's impact is considered medium due to the potential for unauthorized data access. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on cookie manipulation suggests that exploitation may require user interaction (e.g., tricking a user into accepting a malicious cookie).
Organizations utilizing Vision Helpdesk for customer support and internal help desk functions are at risk, particularly those storing sensitive user data within the application. Shared hosting environments where multiple users share the same Vision Helpdesk instance are also at increased risk, as a compromise of one user's profile could potentially expose data for other users.
• php / server:
grep -r 'vis_client_id' /var/www/html/• generic web:
curl -I <your_vision_helpdesk_url> | grep Cookie: vis_client_iddisclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade Vision Helpdesk to version 5.6.10 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling the storage of sensitive information within the visclientid cookie. Additionally, implement strict input validation and sanitization on all user-supplied data, particularly cookie values. Web Application Firewalls (WAFs) configured to detect and block deserialization attacks can provide an additional layer of protection. Regularly review and audit cookie handling practices to identify and address potential vulnerabilities.
Actualice Vision Helpdesk a la versión 5.6.10 o superior para mitigar la vulnerabilidad. Esta actualización corrige la forma en que se manejan los datos serializados de las cookies, previniendo la lectura no autorizada de perfiles de usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-58343 is a medium-severity vulnerability in Vision Helpdesk versions 0.0.0–5.6.10 that allows attackers to read user profiles by manipulating serialized cookie data.
If you are running Vision Helpdesk versions 0.0.0 through 5.6.10, you are potentially affected by this vulnerability. Upgrade to 5.6.10 to mitigate the risk.
The recommended fix is to upgrade Vision Helpdesk to version 5.6.10 or later. As a temporary workaround, disable the storage of sensitive information in the visclientid cookie.
As of the current date, there are no confirmed reports of active exploitation of CVE-2024-58343, but it's crucial to apply the patch proactively.
Refer to the official Vision Helpdesk security advisory for detailed information and updates regarding CVE-2024-58343.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.