CVE-2020-15367
Brute Force on Supravizio BPM 10.1.2
Description
Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
Exploitation
To exploit this vulnerability, it is necessary using the user enumeration vulnerability in Password Recovery (CVE-2020-15392) to enumerate the valid users and after could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account.
PoC
- Login Page
- Brute Force Login - Invalid User
- Brute Force Login - Valid User


