exploitDog

CVE-2021-44554

Опубликовано: 20 дек. 2021

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.

Ссылки

https://github.com/cybelesoft/virtualui/issues/1
Exploit
Issue Tracking
Third Party Advisory
https://github.com/cybelesoft/virtualui/issues/1
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cybelesoft:thinfinity_virtualui:*:*:*:*:*:*:*:*

Версия до 3.0 (исключая)

EPSS

Процентиль: 60%

0.00395

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-203

Связанные уязвимости

GHSA-q6gc-hcqv-7cmx

github

около 4 лет назад

Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.

EPSS

Процентиль: 60%

0.00395

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-203