Cibele Thinfinity VirtualUI 2.5.41.0 – User Enumeration

• Exploit Database
• 41 阅读

• 作者： Daniel Morales
  日期： 2021-12-16
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50601/

• # Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
  # Date: 13/12/2021
  # Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
  # Vendor Homepage: https://www.cybelesoft.com
  # Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
  # Version: vulnerable < v3.0
  # Tested on: Microsoft Windows
  # CVE: CVE-2021-44848
  
  How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
  Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
  Reference: https://github.com/cybelesoft/virtualui/issues/1