Vulnerability Description
The "forgot password" function in OneOrZero Helpdesk before 1.6.5.4 generates insecure passwords by concatenating the current timestamp with the username, which allows remote attackers to gain access as an arbitrary user by requesting a password reset.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oneorzero | Oneorzero Helpdesk | <= 1.6.5.3 |
References
- http://oneorzero.com/downloads/release_notes/Current_Release_notes.htmlPatch
- http://secunia.com/advisories/22476Vendor Advisory
- http://securityreason.com/securityalert/1767
- http://www.securityfocus.com/archive/1/449352/100/0/threaded
- http://www.securityfocus.com/bid/20651
- http://www.whitedust.net/speaks/3043/ExploitVendor Advisory
- http://oneorzero.com/downloads/release_notes/Current_Release_notes.htmlPatch
- http://secunia.com/advisories/22476Vendor Advisory
- http://securityreason.com/securityalert/1767
- http://www.securityfocus.com/archive/1/449352/100/0/threaded
- http://www.securityfocus.com/bid/20651
- http://www.whitedust.net/speaks/3043/ExploitVendor Advisory
FAQ
What is CVE-2006-5474?
CVE-2006-5474 is a vulnerability with a CVSS score of 7.5 (HIGH). The "forgot password" function in OneOrZero Helpdesk before 1.6.5.4 generates insecure passwords by concatenating the current timestamp with the username, which allows remote attackers to gain access ...
How severe is CVE-2006-5474?
CVE-2006-5474 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2006-5474?
Check the references section above for vendor advisories and patch information. Affected products include: Oneorzero Oneorzero Helpdesk.