CVE-2020-26526

Name of the Vulnerable Software and Affected Versions Damstra Smart Asset version 2020.7

Description An issue was discovered in the login page of the affected software, allowing enumeration of valid usernames. The application sends different server responses when the username is invalid versus when it is valid, with messages "Unable to find an APIDomain" for invalid usernames and "Wrong email or password" for valid ones.

Recommendations For Damstra Smart Asset version 2020.7, consider modifying the login page to return a generic error message for both valid and invalid usernames to prevent enumeration. As a temporary workaround, restrict access to the login page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.