CVE-2020-26526

An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/lukaszstu/SmartAsset-UE-CVE-2020-26526	Third Party Advisory
https://smartasset.com/	Vendor Advisory
https://support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platform	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:damstratechnology:smart_asset:2020.7:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-10-02 20:15

Updated : 2020-10-06 17:30

NVD link : CVE-2020-26526

Mitre link : CVE-2020-26526

CVE.ORG link : CVE-2020-26526

JSON object : View

Products Affected

damstratechnology

smart_asset

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-26526", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-10-02T20:15:13.190", "references": [{"url": "https://github.com/lukaszstu/SmartAsset-UE-CVE-2020-26526", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://smartasset.com/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platform", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid (\"Unable to find an APIDomain\" versus \"Wrong email or password\")."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Damstra Smart Asset versi\u00f3n 2020.7. Es posible enumerar nombres de usuario v\u00e1lidos en la p\u00e1gina de inicio de sesi\u00f3n. La aplicaci\u00f3n env\u00eda una respuesta de servidor diferente cuando el nombre de usuario no es v\u00e1lido que cuando el nombre de usuario es v\u00e1lido (\"Unable to find an APIDomain\" versus \"Wrong email or password\")"}], "lastModified": "2020-10-06T17:30:57.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:damstratechnology:smart_asset:2020.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB0C9567-ED1F-42EE-8ED5-87BD3A8B8E19"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}