Knowage User Enumeration
Release date: 29/07/2019
Last update: 29/07/2019
Vendor site: https://www.knowage-suite.com/site/home/
Affected version(s): 6.1.1
Remediated version: 6.4
Severity Rating: Low
Impact: Exposure of sensitive information
Attack vector: Remote without authentication
Details: The file ChangePwdServlet is vulnerable to user enumeration. It will provide a different response if the provided username is valid or not. It will provide the response “The old password is incorrect” if the username is valid and provide no response if the username is invalid.
This screenshot shows an invalid username being requested:
This screenshot shows a valid username being requested:
Recommendation: Update to the latest patch.
Discovered by: David Chadwick from Content Security Pty. Ltd.