Inflixim4Be

**Name of the Vulnerable Software and Affected Versions** Umanni RH version 1.0 **Description** The issue allows an unauthenticated user to launch a brute-force authentication attack against the Login page due to a lack of limitation on the number of authentication attempts. **Recommendations** For Umanni RH version 1.0, consider implementing a mechanism to limit the number of authentication attempts to prevent brute-force attacks. As a temporary workaround, restrict access to the Login page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Umanni RH version 1.0 **Description** The issue is related to user enumeration during password recovery. It allows an attacker to determine if a user is valid or not based on differences in messages, potentially enabling a brute force attack with valid users. **Recommendations** For Umanni RH version 1.0, consider modifying the password recovery mechanism to return generic messages for all attempts, regardless of the user's validity, to prevent user enumeration. As a temporary workaround, restrict access to the password recovery feature until a more robust solution is implemented.

**Name of the Vulnerable Software and Affected Versions** Venki Supravizio BPM version 10.1.2 **Description** The issue allows an unauthenticated user to launch a brute-force authentication attack against the Login page due to the lack of limitation on the number of authentication attempts. **Recommendations** For Venki Supravizio BPM version 10.1.2, consider implementing a limit on the number of authentication attempts or temporarily restricting access to the Login page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Venki Supravizio BPM version 10.1.2 **Description** A user enumeration flaw was found in the password recovery process. This issue allows an attacker to determine if a `username` is valid or not by analyzing the difference in error messages, enabling a brute-force attack with valid usernames. **Recommendations** For Venki Supravizio BPM version 10.1.2, consider modifying the password recovery process to return generic error messages, avoiding the disclosure of valid usernames. As a temporary workaround, restrict access to the password recovery feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.