Nav1N

**Name of the Vulnerable Software and Affected Versions** Vision Helpdesk versions 5.7.0 and earlier **Description** The issue allows Time-Based Blind SQL injection via the `vis username` parameter in the Forgot Password feature, also known as `index.php?/home/forgot-password`. No authentication is required to exploit this issue. **Recommendations** For Vision Helpdesk versions 5.7.0 and earlier, as a temporary workaround, consider disabling the Forgot Password feature until a patch is available. Restrict access to the `index.php?/home/forgot-password` endpoint to minimize the risk of exploitation. Avoid using the `vis username` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.