CVE-2021-44554

2021-12-2008:31:42

mitre

www.cve.org

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.2%

JSON

Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.

References

github.com/cybelesoft/virtualui/issues/1