CVE-2017-18486

Name of the Vulnerable Software and Affected Versions Jitbit Helpdesk versions prior to 9.0.3

Description The issue allows remote attackers to escalate privileges due to mishandling of the userHash parameter in the User/AutoLogin functionality. By inspecting the token value provided in a password reset link, a user can recover the shared secret used by the server for remote authentication. This shared secret can be used to forge new tokens for any user, allowing automatic login as the affected user.

Recommendations For versions prior to 9.0.3, update to version 9.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality to minimize the risk of exploitation. Avoid using the userHash parameter in the affected User/AutoLogin functionality until the issue is resolved.