PT-2019-12913 · Humhub · Humhub Social Network Kit

Chanpu9

Published

2019-07-29

Updated

2021-07-21

CVE-2019-12743

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions HumHub Social Network Kit Enterprise version 1.3.13

Description The issue allows remote attackers to find existing user accounts on Social Network Kits, including self-hosted ones, by brute-forcing the username after the "/u/" initial URI substring. This is due to a response discrepancy information exposure.

Recommendations For HumHub Social Network Kit Enterprise version 1.3.13, consider restricting access to the "/u/" API endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, implement rate limiting or IP blocking to prevent brute-force attacks on user accounts.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2019-12743

Affected Products

Humhub Social Network Kit

PT-2019-12913 · Humhub · Humhub Social Network Kit

CVE-2019-12743

Weakness Enumeration

Related Identifiers

Affected Products

References · 4