Lucene search

[email protected]CVE-2021-34580

HistoryOct 27, 2021 - 11:15 a.m.

CVE-2021-34580

2021-10-2711:15:00

CWE-203

[email protected]

web.nvd.nist.gov

cve-2021-34580

mymbconnect24

user enumeration

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

51.1%

JSON

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

CPENameOperatorVersion
mbconnectline:mbconnect24mbconnectline mbconnect24le2.9.0
mbconnectline:mymbconnect24mbconnectline mymbconnect24le2.9.0

CPE	Name	Operator	Version
mbconnectline:mbconnect24	mbconnectline mbconnect24	le	2.9.0
mbconnectline:mymbconnect24	mbconnectline mymbconnect24	le	2.9.0

References

cert.vde.com/en/advisories/VDE-2021-037/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

51.1%

JSON

Related for CVE-2021-34580

prion1 cvelist1