Share: Email | Twitter

ID

VDE-2022-017

Published

2022-09-07 12:54 (CEST)

Last update

2022-09-07 12:54 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
myREX24 <= 2.11.2
myREX24.virtual <= 2.11.2

Summary

An issue was discovered in myREX24 and myREX24.virtual in all versions through 2.11.2.


Weakness

Observable Response Discrepancy  (CWE-204) 

Summary

A remote, unauthenticated user can enumerate valid users by using a timing attack.


Impact

A remote, unauthenticated attacker can enumerate valid users with a timing attack against the webserver.

Solution

Update to Version 2.12.1

Reported by

SySS GmbH reported this vulnerability to Helmholz.

Helmholz reported this vulnerability to MB connect line.

CERT@VDE coordinated with Helmholz & MB connect line.