Skip to content

inflixim4be/User-Enumeration-on-Umanni-RH

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2020-24008
User Enumeration on Umanni RH


Description

A user enumeration vulnerability flaw was found in Umanni RH. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

Exploitation

To exploit this vulnerability, it is necessary to request a password recovery, when adding a valid contact email the message: "You will receive and email with instructions about how to reset your password in a few minutes." is displayed and when an invalid email: "Email not found".

PoC

  • Invalid User


  • Valid User (Redirect)


  • Valid User


  • Brute Force - Invalid User


  • Brute Force - Valid User (Redirect)


  • Brute Force - Valid User

About

User Enumeration on Umanni RH

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published