Share: Email | Twitter

ID

VDE-2022-017

Published

2022-09-07 12:54 (CEST)

Last update

2022-09-07 12:54 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
myREX24 <= 2.11.2
myREX24.virtual <= 2.11.2

Summary

An issue was discovered in myREX24 and myREX24.virtual in all versions through 2.11.2.


Last Update:

Nov. 17, 2022, 10:47 a.m.

Weakness

Observable Response Discrepancy  (CWE-204) 

Summary

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Impact

A remote, unauthenticated attacker can enumerate valid users with a timing attack against the webserver.

Solution

Update to Version 2.12.1

Reported by

SySS GmbH reported this vulnerability to Helmholz.

Helmholz reported this vulnerability to MB connect line.

CERT@VDE coordinated with Helmholz & MB connect line.