Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration

vendor:

Thinfinity VirtualUI

by:

Daniel Morales, IT Security Team - ARHS Spikeseed

5.3

CVSS

MEDIUM

User Enumeration

203

CWE

Product Name: Thinfinity VirtualUI

Affected Version From: 2.5.41.0

Affected Version To: < 3.0

Patch Exists: YES

Related CWE: CVE-2021-44848

CPE: a:cybelesoft:thinfinity_virtualui

Metasploit:

Other Scripts:

Tags: cve,cve2021,exposure,thinfinity,packetstorm,virtualui,tenable

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Nuclei References: https://github.com/cybelesoft/virtualui/issues/1, https://nvd.nist.gov/vuln/detail/CVE-2021-44848, https://www.tenable.com/cve/CVE-2021-44848, http://packetstormsecurity.com/files/165327/Cibele-Thinfinity-VirtualUI-2.5.41.0-User-Enumeration.html

Nuclei Metadata: {'max-request': 1, 'vendor': 'cybelesoft', 'product': 'thinfinity_virtualui'}

Platforms Tested: Microsoft Windows

2021

Cibele Thinfinity VirtualUI 2.5.41.0 – User Enumeration

By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest... The vulnerable vector is 'https://example.com/changePassword?username=USERNAME' where 'USERNAME' need to be brute-forced.

Mitigation:

Ensure that the application does not return different messages depending on the existence of a username.

Source

Exploit-DB raw data:

# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
# Date: 13/12/2021
# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
# Vendor Homepage: https://www.cybelesoft.com
# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
# Version: vulnerable < v3.0
# Tested on: Microsoft Windows
# CVE: CVE-2021-44848

How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
Reference: https://github.com/cybelesoft/virtualui/issues/1