CVE-2021-40126 MEDIUM

CVE-2021-40126: Cisco Umbrella Email Enumeration Vulnerability

Vendor Cisco
Product Cisco Umbrella Insights Virtual Appliance
Weakness CWE-210
Published November 4, 2021
Last update November 7, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the web-based dashboard of Cisco Umbrella could allow an authenticated, remote attacker to perform an email enumeration attack against the Umbrella infrastructure. This vulnerability is due to an overly descriptive error message on the dashboard that appears when a user attempts to modify their email address when the new address already exists in the system. An attacker could exploit this vulnerability by attempting to modify the user's email address. A successful exploit could allow the attacker to enumerate email addresses of users in the system.

Key dates

02Disclosure timeline

November 4, 2021 CVE published
November 7, 2024 Record updated