Vulnerabilities > CVE-2017-18486 - Insufficient Entropy in PRNG vulnerability in Jitbit Helpdesk

047910
CVSS 7.2 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
jitbit
CWE-332

Summary

Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.

Vulnerable Configurations

Part Description Count
Application
Jitbit
1

Common Weakness Enumeration (CWE)