Share: Email | Twitter

ID

VDE-2021-030

Published

2022-09-07 12:48 (CEST)

Last update

2022-09-07 12:48 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
mbCONNECT24 <= 2.11.2
mymbCONNECT24 <= 2.11.2

Summary

Two issues have been discovered in mymbCONNECT24 and mbCONNECT24 in all versions
including V2.8.0.

Update A, 2022-09-07:

  • Updated affected versions (and solution) due to incomplete fixes in previous versions

Vulnerabilities



Weakness
Observable Discrepancy (CWE-203)
Summary

An unauthenticated user can enumerate valid users by checking what kind of response the server sends.

Weakness
Incorrect Resource Transfer Between Spheres (CWE-669)
Summary

An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ...

Solution

CVE-2020-34575: Update to >= 2.9.0

Update A, 2022-09-07:

CVE-2020-34574: Update to 2.12.1

Reported by

OTORIO reported the vulnerabilities to MB connect line.

CERT@VDE coordinated.