Lucene search

Veracode Vulnerability DatabaseVERACODE:45912

HistoryMar 18, 2024 - 8:15 a.m.

Username Enumeration

2024-03-1808:15:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vantage6

username enumeration

vulnerability

access controls

sensitive information

api routes

password recovery

multi-factor authentication

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

Percentile

15.5%

JSON

Vantage6 is vulnerable to Username Enumeration. This vulnerability is due to inadequate access controls of sensitive information due to the exposure of API routes /recover/lost and /2fa/lost, which allows unauthorized individuals to trigger password or Multi-Factor Authentication (MFA) token recovery emails.

References

github.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b

github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

github.com/vantage6/vantage6/security/advisories/GHSA-5h3x-6gwf-73jm

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for VERACODE:45912