CVE-2021-44876

Name of the Vulnerable Software and Affected Versions: Dalmark Systems Systeam version 2.22.8 build 1724

Description: The Systeam application, an ERP system using a mixed architecture of SaaS tenant and user management along with on-premise database and web application counterparts, is affected by a user enumeration issue. This occurs during the identification of the correct tenant for a given user, where differences in messages could allow an attacker to determine if a given user is valid or not, thus enabling a brute force attack with valid users.

Recommendations: For version 2.22.8 build 1724, as a temporary workaround, consider implementing additional validation and error handling mechanisms to minimize the difference in messages returned during the tenant identification process, thereby reducing the risk of user enumeration. Restrict access to the user identification functionality to minimize the risk of exploitation.