CVE-2022-40895

Name of the Vulnerable Software and Affected Versions NeDi versions 1.0.7 and earlier

Description A vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. This is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the username is valid or not, enabling a brute force attack with valid users.

Recommendations For NeDi versions 1.0.7 and earlier, as a temporary workaround, consider disabling the forgot password utility until a patch is available. Restrict access to the NeDi web UI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.