CVE-2020-24008
User Enumeration on Umanni RH
Description
A user enumeration vulnerability flaw was found in Umanni RH. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
Exploitation
To exploit this vulnerability, it is necessary to request a password recovery, when adding a valid contact email the message: "You will receive and email with instructions about how to reset your password in a few minutes." is displayed and when an invalid email: "Email not found".
PoC
- Invalid User
- Valid User (Redirect)
- Valid User
- Brute Force - Invalid User
- Brute Force - Valid User (Redirect)
- Brute Force - Valid User





