Description
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.
Published: 2026-04-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read user profiles via cookie tampering
Action: Patch
AI Analysis

Impact

Vision Helpdesk versions prior to 5.7.0 contain a flaw that lets attackers modify a serialized cookie named vis_client_id to read user profile data. The vulnerability is an information disclosure weakness that can be exploited by sending crafted requests to the web interface, enabling unauthorized access to sensitive user information. The weakness falls under CWE-425.

Affected Systems

The affected product is Vision:Helpdesk. Versions before 5.7.0 are vulnerable, and the issue was addressed in patch release 5.6.10. Therefore any deployment of Vision:Helpdesk earlier than 5.6.10, including 5.6.0 through 5.6.9 and earlier releases, is at risk.

Risk and Exploitability

The CVSS Base score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Attackers can exploit the flaw remotely by manipulating the vis_client_id cookie, so the threat is remote. To mitigate, the vendor recommends upgrading to version 5.6.10 or newer.

Generated by OpenCVE AI on April 16, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vision:Helpdesk to version 5.6.10 or newer.
  • If an immediate upgrade is not possible, consider temporarily disabling or removing the functionality that stores user profile data in the vis_client_id cookie, or enforce strict validation of the cookie contents to prevent tampering.
  • Ensure the deployment is protected by network access controls and monitor for anomalous cookie activity.

Generated by OpenCVE AI on April 16, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Vision
Vision helpdesk
Vendors & Products Vision
Vision helpdesk

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Reading of User Profiles via Modified Cookie in Vision Helpdesk

Thu, 16 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.
Weaknesses CWE-425
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Vision Helpdesk
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-17T13:31:05.652Z

Reserved: 2026-04-16T22:27:02.589Z

Link: CVE-2024-58343

cve-icon Vulnrichment

Updated: 2026-04-17T13:30:57.721Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T23:16:32.663

Modified: 2026-04-17T15:38:09.243

Link: CVE-2024-58343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:23Z

Weaknesses