CVE-2017-18486

Name: CVE-2017-18486
Creator: NVD / NIST
Published: 2019-08-09T17:15:10.847+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.81%

Last modified Jun 17, 2026

CVE-2017-18486 is a vulnerability of currently unknown severity. Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. EPSS estimates a 4.81% chance of exploitation in the next 30 days.

Description

Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.

Metrics

EPSS Probability

4.81%

90.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-332

Affected Software

Vendor	Product	Versions
Jitbit	Helpdesk	< 9.0.3

References

https://github.com/Kc57/JitBit_Helpdesk_Auth_BypassExploit, Third Party Advisory
https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.htmlThird Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/42776Exploit, Third Party Advisory, VDB Entry
https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-dayThird Party Advisory
https://github.com/Kc57/JitBit_Helpdesk_Auth_BypassExploit, Third Party Advisory
https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.htmlThird Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/42776Exploit, Third Party Advisory, VDB Entry
https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-dayThird Party Advisory

Timeline

Published: Aug 9, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-18486?

How severe is CVE-2017-18486?

Severity scoring for CVE-2017-18486 is pending analysis. The EPSS model estimates a 4.81% probability of exploitation in the next 30 days.

How do I fix CVE-2017-18486?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-18486?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST