CVE-2019-12783

Name of the Vulnerable Software and Affected Versions: Verint Impact 360 version 15.1

Description: An issue was discovered that allows attackers to potentially compromise valid credentials. At the /wfo/control/signin API endpoint, the rd parameter can accept a URL, to which users will be redirected after a successful login. This can be used in conjunction with another issue to "crowdsource" brute-force login attempts on the target site, allowing attackers to guess valid credentials without sending traffic from their own machine to the target site.

Recommendations: For Verint Impact 360 version 15.1, consider restricting access to the /wfo/control/signin API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the rd parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.