Observable Response Discrepancy

CVE-2022-22520

Medium

5.3/10

Summary

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-204 - Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

Advisory Timeline

Published Sep 14, 2022

Observable Response Discrepancy

CVE-2022-22520

Summary

CWE-204 - Observable Response Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS