Back to overview

MB connect line: Remote user enumeration in mbCONNECT24/mymbCONNECT24

VDE-2021-037
Last update
05/14/2025 14:28
Published at
10/27/2021 12:15
Vendor(s)
MB connect line GmbH
External ID
VDE-2021-037
CSAF Document
Download

Summary

An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.9.0.

Impact

Please consult the CVE Entry above.

Affected Product(s)

Model no. Product name Affected versions
mbCONNECT24 <=2.9.0 mbCONNECT24 <=2.9.0
mymbCONNECT24 <=2.9.0 mymbCONNECT24 <=2.9.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Observable Response Discrepancy (CWE-204)
Summary

An unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

References
cve.org | nvd.nist.gov

Remediation

Update mbCONNECT24/mymbCONNECT24 to 2.10.1

Revision History

Version Date Summary
1 10/27/2021 12:15 Initial revision.
2 05/14/2025 14:28 Fix: firmware category