PT-2021-8563 · Unknown · Sapphireims
Tanoy Bose
·
Published
2021-08-11
·
Updated
2021-08-12
·
CVE-2017-16629
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
SapphireIMS version 4097 1
Description
The software is susceptible to username guessing due to distinct error messages for incorrect usernames and correct usernames with incorrect passwords. For an "Incorrect User", it displays "The application failed to identify the user. Please contact administrator for help." For a "Correct User and Incorrect Password", it shows "Authentication failed. Please login again."
Recommendations
For SapphireIMS version 4097 1, consider modifying the login form to provide generic error messages that do not distinguish between incorrect usernames and correct usernames with incorrect passwords, thereby preventing attackers from guessing registered usernames.
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sapphireims