PT-2025-11691 · Beta80 · Beta80 Life 1St Identity Manager

Published

2025-03-19

Updated

2025-03-19

CVE-2025-26485

CVSS v3.1

5.8

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Beta80 Life 1st Identity Manager version 1.5.2.14234

Description The issue allows user enumeration using authentication REST APIs. Different error messages are returned for failed authentication attempts, depending on whether a wrong password or a non-existent user is used.

Recommendations For version 1.5.2.14234, consider modifying the authentication API to return generic error messages for all failed authentication attempts, rather than distinguishing between incorrect passwords and non-existent users, to prevent user enumeration.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2025-26485

Affected Products

Beta80 Life 1St Identity Manager

PT-2025-11691 · Beta80 · Beta80 Life 1St Identity Manager

CVE-2025-26485

Weakness Enumeration

Related Identifiers

Affected Products

References · 6