Skip to content

inflixim4be/CVE-2020-15367

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2020-15367
Brute Force on Supravizio BPM 10.1.2


Description

Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.

Exploitation

To exploit this vulnerability, it is necessary using the user enumeration vulnerability in Password Recovery (CVE-2020-15392) to enumerate the valid users and after could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account.

PoC

  • Login Page


  • Brute Force Login - Invalid User


  • Brute Force Login - Valid User

About

Brute Force on Supravizio BPM 10.1.2

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published