CVE-2025-32993

Name of the Vulnerable Software and Affected Versions Vision Helpdesk versions 5.7.0 and earlier

Description The issue allows Time-Based Blind SQL injection via the vis username parameter in the Forgot Password feature, also known as index.php?/home/forgot-password. No authentication is required to exploit this issue.

Recommendations For Vision Helpdesk versions 5.7.0 and earlier, as a temporary workaround, consider disabling the Forgot Password feature until a patch is available. Restrict access to the index.php?/home/forgot-password endpoint to minimize the risk of exploitation. Avoid using the vis username parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.