Share: Email | Twitter

ID

VDE-2022-011

Published

2022-09-07 12:50 (CEST)

Last update

2022-09-07 12:50 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbCONNECT24 <= 2.11.2
mymbCONNECT24 <= 2.11.2

Summary

An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.11.2.


Last Update:

17. November 2022 10:47

Weakness

Observable Response Discrepancy  (CWE-204) 

Summary

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Impact

A remote, unauthenticated attacker can enumerate valid users with a timing attack against the webserver.

Solution

Update to Version 2.12.1

Reported by

SySS GmbH reported this vulnerability to Helmholz.

Helmholz reported this vulnerability to MB connect line.

CERT@VDE coordinated with Helmholz & MB connect line.