CVE-2013-6020

Name of the Vulnerable Software and Affected Versions Tyler Technologies TaxWeb version 3.13.3.1

Description The issue allows remote attackers to enumerate account names by sending a series of requests to certain applications and analyzing the different HTTP status codes returned for invalid password-recovery requests, depending on whether the user account exists. This can be done via requests to the Assessor, Recorder, or Treasurer application.

Recommendations For Tyler Technologies TaxWeb version 3.13.3.1, consider restricting access to the passwordRequestPOST.jsp page until a fix is available, or apply configuration changes to prevent differentiation in HTTP status codes for invalid password-recovery requests. At the moment, there is no information about a newer version that contains a fix for this vulnerability.