VDE-2022-011 | CERT@VDE

2022-09-07 12:50 (CEST) VDE-2022-011

MB connect line: Unauthenticated user enumeration in mbCONNECT24 and mymbCONNECT24

Share: Email | Twitter

ID

VDE-2022-011

Published

2022-09-07 12:50 (CEST)

Last update

2022-09-07 12:50 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	mbCONNECT24	<= 2.11.2
	mymbCONNECT24	<= 2.11.2

Summary

An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.11.2.

CVE ID

CVE-2022-22520

Last Update:

Aug. 30, 2024, 9:28 a.m.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness

Observable Response Discrepancy (CWE-204)

Summary

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Details

nvd.nist.gov

Impact

A remote, unauthenticated attacker can enumerate valid users with a timing attack against the webserver.

Solution

Update to Version 2.12.1

Reported by

SySS GmbH reported this vulnerability to Helmholz.

Helmholz reported this vulnerability to MB connect line.

CERT@VDE coordinated with Helmholz & MB connect line.