<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage User Enumeration

Posted by David Chadwick - 05 August, 2019


Knowage User Enumeration

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Low

Impact: Exposure of sensitive information

Attack vector: Remote without authentication

CVE: CVE-2019-14278


Details: The file ChangePwdServlet is vulnerable to user enumeration. It will provide a different response if the provided username is valid or not. It will provide the response “The old password is incorrect” if the username is valid and provide no response if the username is invalid.

This screenshot shows an invalid username being requested:


This screenshot shows a valid username being requested:



Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

How to Achieve Strong IT Security: A Refresher on the NIST Framework

read more

What the Overhaul of Tertiary Education Fees Could Mean for the Australian Cybersecurity Industry

read more

5 Steps to Creating a Cybersecurity Policy that Supports Business Success

read more