CVE-2021-34580

Remote user enumeration in mymbCONNECT24, mbCONNECT24 <= 2.9.0

CVSS 7.5 HIGHEPSS 1.0%CWE-204

In short

An attacker can discover valid usernames on mymbCONNECT24 and mbCONNECT24 systems by observing how the server responds to fake login attempts. This helps attackers identify real accounts to target for further attacks.

Technical detail

The application returns different HTTP responses for valid versus invalid usernames during authentication, allowing unauthenticated enumeration via timing or response differentiation attacks. This information disclosure (CWE-204) enables attackers to build a list of legitimate users for subsequent credential-based or brute-force attacks against affected versions up to 2.9.0.

Summary generated and translated by AI from the official description.

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

MB connect line · mbCONNECT24 MB connect line · mymbCONNECT24

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert.vde.com/en/advisories/VDE-2021-037/