Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.
There is an SQL injection present within the View Article function that would allow a malicious user to obtain any information from the database.
We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.
This vulnerability was tested against Vision HelpDesk 3.8.4 and is believed to exist in all versions prior to the fixed builds below.
This vulnerability was patched in Vision HelpDesk 3.8.6.
Vendor Contact Timeline:
2014-01-17: Vendor contacted via email.
2014-01-17: Vendor confirms vulnerability.
2014-01-23: Vendor issues updates to all builds.
2014-01-24: Rack911 issues security advisory.