CVE-2006-5474

The "forgot password" function in OneOrZero Helpdesk before 1.6.5.4 generates insecure passwords by concatenating the current timestamp with the username, which allows remote attackers to gain access as an arbitrary user by requesting a password reset.

Published: Oct 24, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-5474
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
oneorzero / oneorzero_helpdesk	1.6.3	1.6.3.x
oneorzero / oneorzero_helpdesk	-	1.6.5.3.x
oneorzero / oneorzero_helpdesk	1.6	1.6.x
oneorzero / oneorzero_helpdesk	1.6.4	1.6.4.x

http://oneorzero.com/downloads/release_notes/Current_Release_notes.html
http://secunia.com/advisories/22476
http://securityreason.com/securityalert/1767
http://www.securityfocus.com/archive/1/449352/100/0/threaded
http://www.securityfocus.com/bid/20651
http://www.whitedust.net/speaks/3043/

Vulnerability Database

CVE-2006-5474