Share: Email | Twitter

ID

VDE-2021-037

Published

2021-10-27 12:15 (CEST)

Last update

2021-11-10 14:30 (CET)

Vendor(s)

MB connect line GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
mbCONNECT24 <= 2.9.0
mymbCONNECT24 <= 2.9.0

Summary

An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.9.0.


Weakness

Response Discrepancy Information Exposure  (CWE-204) 

Summary

An unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.


Impact

Please consult the CVE Entry above.

Solution

Update mbCONNECT24/mymbCONNECT24 to 2.10.1

Reported by

LEWA Attendorn GmbH reported this vulnerability to MB connect line.

CERT@VDE coordinated.