Vulnerability Details CVE-2006-5474
The "forgot password" function in OneOrZero Helpdesk before 1.6.5.4 generates insecure passwords by concatenating the current timestamp with the username, which allows remote attackers to gain access as an arbitrary user by requesting a password reset.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 80.1%
CVSS Severity
CVSS v2 Score 7.5
References
- http://oneorzero.com/downloads/release_notes/Current_Release_notes.html
- http://secunia.com/advisories/22476
- http://securityreason.com/securityalert/1767
- http://www.securityfocus.com/archive/1/449352/100/0/threaded
- http://www.securityfocus.com/bid/20651
- http://www.whitedust.net/speaks/3043/
- http://oneorzero.com/downloads/release_notes/Current_Release_notes.html
- http://secunia.com/advisories/22476
- http://securityreason.com/securityalert/1767
- http://www.securityfocus.com/archive/1/449352/100/0/threaded
- http://www.securityfocus.com/bid/20651
- http://www.whitedust.net/speaks/3043/
Products affected by CVE-2006-5474
-
cpe:2.3:a:oneorzero:oneorzero_helpdesk:*
-
cpe:2.3:a:oneorzero:oneorzero_helpdesk:1.6
-
cpe:2.3:a:oneorzero:oneorzero_helpdesk:1.6.3
-
cpe:2.3:a:oneorzero:oneorzero_helpdesk:1.6.4