Share: Email | Twitter

ID

VDE-2021-058

Published

2021-12-08 13:04 (CET)

Last update

2021-12-08 13:04 (CET)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
myREX24 <= 2.9.0
myREX24-virtual <= 2.9.0

Summary

An issue was discovered in the myREX24 and myREX24-virtual software in all versions through V2.9.0.


Weakness

Response Discrepancy Information Exposure  (CWE-204) 

Summary

An unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.


Solution

Update myREX24/myREX24-virtual to 2.10.1

Reported by

LEWA Attendorn GmbH reported this vulnerability to MB connect line. 

CERT@VDE coordinated.