Craftxbox

**Name of the Vulnerable Software and Affected Versions** TGstation versions prior to 5.12.5 **Description** TGstation is a toolset to manage production BYOND servers. In affected versions, if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the "login endpoint" with an invalid password. When a valid Windows logon was found, a distinct response would be generated. **Recommendations** For versions prior to 5.12.5, upgrade to version 5.12.5 to resolve the issue. As a temporary workaround for users unable to upgrade, consider rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline, such as fail2ban.