PT-2021-24134 · Microsoft+1 · Windows+1

Daniel Morales

Published

2021-12-20

Updated

2021-12-29

CVE-2021-44554

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Thinfinity VirtualUI versions prior to 3.0

Description: The issue allows a malicious actor to enumerate users registered in the Windows operating system through the "/changePassword" URI. By accessing this vector, an attacker can determine if a username exists thanks to the message returned, which can be presented in different languages according to the configuration of VirtualUI. Common users that may be targeted include administrator, admin, guest, and others.

Recommendations: For Thinfinity VirtualUI versions prior to 3.0, update to version 3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/changePassword" URI until a patch is available.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2021-44554

Affected Products

Thinfinity Virtualui

Windows

PT-2021-24134 · Microsoft+1 · Windows+1

CVE-2021-44554

Weakness Enumeration

Related Identifiers

Affected Products

References · 4