Platform
php
Component
vision-helpdesk
Fixed in
5.6.10
CVE-2024-58343 is a vulnerability affecting Vision Helpdesk versions from 0.0.0 through 5.6.10. It allows attackers to read user profiles by exploiting insecure deserialization of the visclientid cookie. Successful exploitation could lead to unauthorized access to sensitive user information. A patch is available in version 5.6.10.
This vulnerability arises from the insecure handling of serialized data within the visclientid cookie. An attacker can craft a malicious cookie payload that, when accepted by Vision Helpdesk, allows them to extract information from user profiles. The extent of data accessible depends on the information stored within those profiles, potentially including names, email addresses, support ticket history, and other sensitive details. While direct remote code execution is unlikely, the exposure of user data represents a significant privacy breach and could be leveraged for social engineering or further attacks. The impact is amplified if the Vision Helpdesk instance handles sensitive customer data or is integrated with other critical systems.
This CVE was published on 2026-04-16. There are currently no publicly available proof-of-concept exploits. The vulnerability's impact is considered medium due to the potential for unauthorized data access. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on cookie manipulation suggests that exploitation may require user interaction (e.g., tricking a user into accepting a malicious cookie).
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Vision Helpdesk to version 5.6.10 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling the storage of sensitive information within the visclientid cookie. Additionally, implement strict input validation and sanitization on all user-supplied data, particularly cookie values. Web Application Firewalls (WAFs) configured to detect and block deserialization attacks can provide an additional layer of protection. Regularly review and audit cookie handling practices to identify and address potential vulnerabilities.
Update Vision Helpdesk to version 5.6.10 or higher to mitigate the vulnerability. This update corrects how cookie serialized data is handled, preventing unauthorized reading of user profiles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-58343 is a medium-severity vulnerability in Vision Helpdesk versions 0.0.0–5.6.10 that allows attackers to read user profiles by manipulating serialized cookie data.
If you are running Vision Helpdesk versions 0.0.0 through 5.6.10, you are potentially affected by this vulnerability. Upgrade to 5.6.10 to mitigate the risk.
The recommended fix is to upgrade Vision Helpdesk to version 5.6.10 or later. As a temporary workaround, disable the storage of sensitive information in the visclientid cookie.
As of the current date, there are no confirmed reports of active exploitation of CVE-2024-58343, but it's crucial to apply the patch proactively.
Refer to the official Vision Helpdesk security advisory for detailed information and updates regarding CVE-2024-58343.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.