Share: Email | Twitter

ID

VDE-2021-030

Published

2021-07-22 13:34 (CEST)

Last update

2021-07-22 13:34 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbCONNECT24 <= 2.8.0
mymbCONNECT24 <= 2.8.0

Summary

Two issues have been discovered in mymbCONNECT24 and mbCONNECT24 in all versions
including V2.8.0.

Vulnerabilities



Weakness
Observable Discrepancy (CWE-203)
Summary

An unauthenticated user can enumerate valid users by checking what kind of response the server sends.

Weakness
Incorrect Resource Transfer Between Spheres (CWE-669)
Summary

An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ...

Solution

Update to 2.9.0

Reported by

OTORIO reported the vulnerabilities to MB connect line.

CERT@VDE coordinated.