Title:
User enumeration

CVE: CVE-2021-44875

Description:

The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts.
This issue occurs during the password recovery procedure for a given user, where a difference in messages could allow an attacker to determine if the given user is valid or not, enabling a brute force attack with valid users.

Affected version:
Versão 2.22.8 build 1724

Fix:
An updated version has been issued.

OWASP TOP 10:
A01:2021 – Broken Access Control

CVSS:
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVSS Base Score: 9.3


Credits:
Douglas Secco dos Santos
DropReal Brasil - Cybersecurtiy & Compliance  - www.dropreal.com.br