CVE-2021-34580 HIGH

CVE-2021-34580: Remote user enumeration in mymbCONNECT24, mbCONNECT24 <= 2.9.0

Vendor Mb Connect Line
Product mymbCONNECT24
Weakness CWE-204
Published October 27, 2021
Last update September 17, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

Key dates

02Disclosure timeline

October 27, 2021 CVE published
September 17, 2024 Record updated