Vulnerabilities > CVE-2021-34580 - Information Exposure Through Discrepancy vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

mbconnectline

CWE-203

NVD

Published: 2021-10-27

Updated: 2021-11-01

Summary

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

Vulnerable Configurations

Part	Description	Count
Application	Mbconnectline Mbconnectline Mbconnect24 - Mbconnectline Mbconnect24 2.5.0 Mbconnectline Mbconnect24 2.6.1 Mbconnectline Mbconnect24 2.6.2 Mbconnectline Mbconnect24 2.8.0 Mbconnectline Mymbconnect24 - Mbconnectline Mymbconnect24 2.5.0 Mbconnectline Mymbconnect24 2.6.1 Mbconnectline Mymbconnect24 2.6.2 Mbconnectline Mymbconnect24 2.8.0	10

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

References

https://cert.vde.com/en/advisories/VDE-2021-037/