CVE-2006-5474

Name of the Vulnerable Software and Affected Versions OneOrZero Helpdesk versions prior to 1.6.5.4

Description The issue concerns the "forgot password" function, which generates insecure passwords. This is done by concatenating the current timestamp with the username, allowing remote attackers to gain access as an arbitrary user by requesting a password reset.

Recommendations For versions prior to 1.6.5.4, update to version 1.6.5.4 or later to resolve the issue. As a temporary workaround, consider disabling the "forgot password" function until a patch is available. Restrict access to the password reset feature to minimize the risk of exploitation. Avoid using the username in conjunction with the password reset mechanism until the issue is resolved.