CVE-2024-34336 - Vulnerability Details - OpenCVE

User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Ordat	Foss-online Ordat.erp

Configuration 1 [-]

cpe:2.3:a:ordat:ordat.erp:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://foss-online.com
http://ordat.com
https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336/

History

Wed, 18 Sep 2024 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ordat ordat.erp
Weaknesses		CWE-203
CPEs		cpe:2.3:a:ordat:ordat.erp::::::::
Vendors & Products		Ordat ordat.erp

Thu, 12 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ordat Ordat foss-online
Weaknesses		CWE-204
CPEs		cpe:2.3:a:ordat:foss-online::::::::
Vendors & Products		Ordat Ordat foss-online
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Description		User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.
References		http://foss-online.com http://ordat.com https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336/

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-09-12T00:00:00

Updated: 2024-09-12T20:10:08.012Z

Reserved: 2024-05-02T00:00:00

Link: CVE-2024-34336

Vulnrichment

Updated: 2024-09-12T20:08:04.209Z

NVD

Status : Analyzed

Published: 2024-09-12T19:15:03.510

Modified: 2024-09-18T20:32:05.510

Link: CVE-2024-34336

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-34336", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-12T20:10:08.012Z", "dateReserved": "2024-05-02T00:00:00", "datePublished": "2024-09-12T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-12T18:10:50.435033"}, "descriptions": [{"lang": "en", "value": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://foss-online.com"}, {"url": "http://ordat.com"}, {"url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-204", "lang": "en", "description": "CWE-204 Observable Response Discrepancy"}]}], "affected": [{"vendor": "ordat", "product": "foss-online", "cpes": ["cpe:2.3:a:ordat:foss-online:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.24.01", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T20:08:20.665887Z", "id": "CVE-2024-34336", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T20:10:08.012Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34336", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T20:08:20.665887Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ordat:foss-online:*:*:*:*:*:*:*:*"], "vendor": "ordat", "product": "foss-online", "versions": [{"status": "affected", "version": "0", "lessThan": "2.24.01", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T20:08:04.209Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://foss-online.com"}, {"url": "http://ordat.com"}, {"url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336/"}], "descriptions": [{"lang": "en", "value": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-12T18:10:50.435033"}}}, "cveMetadata": {"cveId": "CVE-2024-34336", "state": "PUBLISHED", "dateUpdated": "2024-09-12T20:10:08.012Z", "dateReserved": "2024-05-02T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-09-12T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ordat:ordat.erp:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B2D302F-1B47-4CD9-B471-EF982C74E095", "versionEndExcluding": "2.24.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality."}, {"lang": "es", "value": "La vulnerabilidad de enumeraci\u00f3n de usuarios en ORDAT FOSS-Online anterior a v2.24.01 permite a los atacantes determinar si existe una cuenta en la aplicaci\u00f3n comparando las respuestas del servidor de la funcionalidad de contrase\u00f1a olvidada."}], "id": "CVE-2024-34336", "lastModified": "2024-09-18T20:32:05.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-12T19:15:03.510", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://foss-online.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://ordat.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description"], "url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-204"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}