{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-58343", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T22:27:02.589Z", "datePublished": "2026-04-16T22:27:03.084Z", "dateUpdated": "2026-04-17T13:31:05.652Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Helpdesk", "vendor": "Vision", "versions": [{"lessThan": "5.6.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-425", "description": "CWE-425 Direct Request ('Forced Browsing')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T22:36:12.369Z"}, "references": [{"url": "https://github.com/websec/Vision-Helpdesk-Exploit"}, {"url": "https://websec.net/blog/critical-vulnerability-in-vision-helpdesk-allows-unauthorized-session-access-67264646bde7fa99ea26446f"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T13:26:27.158971Z", "id": "CVE-2024-58343", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T13:31:05.652Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id."}], "id": "CVE-2024-58343", "lastModified": "2026-04-16T23:16:32.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T23:16:32.663", "references": [{"source": "cve@mitre.org", "url": "https://github.com/websec/Vision-Helpdesk-Exploit"}, {"source": "cve@mitre.org", "url": "https://websec.net/blog/critical-vulnerability-in-vision-helpdesk-allows-unauthorized-session-access-67264646bde7fa99ea26446f"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.6.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Helpdesk", "source": "cna", "vendor": "Vision"}, "product": "helpdesk", "vendor": "vision"}], "analysis": {"en": {"generated_at": "2026-04-16T23:20:33.933671+00:00", "value": {"mitigation_remediation": ["Upgrade Vision:Helpdesk to version 5.6.10 or newer.", "If an immediate upgrade is not possible, consider temporarily disabling or removing the functionality that stores user profile data in the vis_client_id cookie, or enforce strict validation of the cookie contents to prevent tampering.", "Ensure the deployment is protected by network access controls and monitor for anomalous cookie activity."], "summary": {"action": "Patch", "impact": "Read user profiles via cookie tampering"}, "threat_synthesis": {"affected_systems": "The affected product is Vision:Helpdesk. Versions before 5.7.0 are vulnerable, and the issue was addressed in patch release 5.6.10. Therefore any deployment of Vision:Helpdesk earlier than 5.6.10, including 5.6.0 through 5.6.9 and earlier releases, is at risk.", "description_and_impact": "Vision Helpdesk versions prior to 5.7.0 contain a flaw that lets attackers modify a serialized cookie named vis_client_id to read user profile data. The vulnerability is an information disclosure weakness that can be exploited by sending crafted requests to the web interface, enabling unauthorized access to sensitive user information. The weakness falls under CWE-425.", "risk_and_exploitability": "The CVSS Base score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation. Attackers can exploit the flaw remotely by manipulating the vis_client_id cookie, so the threat is remote. To mitigate, the vendor recommends upgrading to version 5.6.10 or newer."}}}}, "created": "2026-04-16T23:30:04.213478+00:00", "title": "Unauthorized Reading of User Profiles via Modified Cookie in Vision Helpdesk", "updated": "2026-04-17T08:01:23.432821+00:00", "vendors": ["vision", "vision$PRODUCT$helpdesk"]}