CVE-2020-15392

{"id": "CVE-2020-15392", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-07-07T14:15:11.317", "references": [{"url": "https://github.com/inflixim4be/CVE-2020-15392", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.venki.com.br/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. This issue occurs during password recovery, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo de vulnerabilidad de enumeraci\u00f3n de usuarios en Venki Supravizio BPM versi\u00f3n 10.1.2. Este problema se produce durante la recuperaci\u00f3n de contrase\u00f1a, donde una diferencia en los mensajes de error podr\u00eda permitir a un atacante determinar si un nombre de usuario es v\u00e1lido o no, permitiendo un ataque de fuerza bruta con nombres de usuario v\u00e1lidos"}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:venki:supravizio_bpm:10.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6ED893E4-0DE0-4308-B35B-65E6FE22B73F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}