exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Reprise License Manager 14.2 User Enumeration

Reprise License Manager 14.2 User Enumeration
Posted Dec 8, 2021
Authored by Andreas Fyhn Andersen, Mark Staal Steenberg, Oliver Lind Nordestgaard, Gionathan Armando Reale, Bilal El Ghoul

Reprise License Manager version 14.2 suffers from a user enumeration vulnerability. The vendor has contacted Packet Storm to note that in v15.1 they have fixed this issue by giving the same ambiguous error whether username, password, or both are entered incorrectly.

tags | exploit
advisories | CVE-2021-44155
SHA-256 | afa7eab64e3796e91e7449732e50d465cbd84d4c205ff7d076dc1e792fe908ae

Reprise License Manager 14.2 User Enumeration

Change Mirror Download
# Product: Reprise License Manager 14.2
# Vendor: Reprise Software
# CVE ID: CVE-2021-44155
# Vulnerability Title: Unauthenticated User Enumeration
# Severity: Low
# Author(s): Mark Staal Steenberg, Bilal El Ghoul, Gionathan Armando Reale, Andreas Fyhn Andersen, Oliver Lind Nordestgaard
# Date: 2021-11-25
#############################################################
Introduction:
An issue was discovered in /goform/login_process in RLM 14.2. When an attacker attempts to login, the response if an username is valid includes "Login Failed", but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.

Vulnerability:
This vulnerability is triggered upon failed authentication, if an attacker supplies an invalid user with an invalid password no error message is given however if an attacker supplies the application with a valid user with an invalid password an error message is displayed informing the user "Login Failed". The difference in response can be abused in order to allow an attacker to enumerate valid users.

Recommendation:
We recommend displaying generic error messages upon failed authentication to mitigate the possibility of an attacker enumerating valid users.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close