Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Presentation:
Security vulnerability: Brute Force Attack.
Vulnerability Type: Broken Authentication.
Affected Component: Affected function on user's logon.
Software: mConnect MV.
Versions: 02.001.00, 2013.1.6.8 (discontinued).
Bussiness area: Health, Medicine.
Describe the bug/issue:
Information disclosure in Logon Page of MV mConnect application v02.001.00 and 2013.1.6.8 allows an attacker to know valid users from the application's database via
a brute force attack.
Have you searched the internet or Github for an answer?
Yes.
To Reproduce:
Enumeration - Create a list of usernames, which can be acquired over the internet and launch a word list attack against the vulnerable application, entering any invalid password. Note that for valid
users, the application returns "invalid password". For invalid users, the application returns "invalid user".
The differences between the responses of the application allows a hacker to know valid users of the system and proced to the next level, a password brute force attack over
only valid users.
Expected behavior:
Application should return a neutral response, not informing if a user exists or not, nor if the password is invalid or not.
Bug Fix:
No bug fix. Discontinued software.
CVE ID: CVE-2020-23283