Vulnerability Details CVE-2022-23342
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.5%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://community.hyland.com/login?returnUrl=/connect/hyland-research-and-development/security-advisories/username-enumeration-in-onbase
- https://github.com/InitRoot/CVE-2022-23342
- https://community.hyland.com/login?returnUrl=/connect/hyland-research-and-development/security-advisories/username-enumeration-in-onbase
- https://github.com/InitRoot/CVE-2022-23342
Products affected by CVE-2022-23342
-
cpe:2.3:a:hyland:onbase:-
-
cpe:2.3:a:hyland:onbase:16.0.0.0
-
cpe:2.3:a:hyland:onbase:16.0.2.83
-
cpe:2.3:a:hyland:onbase:17.0.0.0
-
cpe:2.3:a:hyland:onbase:17.0.2.109
-
cpe:2.3:a:hyland:onbase:18.0.0.0
-
cpe:2.3:a:hyland:onbase:18.0.0.32
-
cpe:2.3:a:hyland:onbase:18.0.0.37
-
cpe:2.3:a:hyland:onbase:19.0.0.0
-
cpe:2.3:a:hyland:onbase:19.8.16.1000
-
cpe:2.3:a:hyland:onbase:19.8.9.1000
-
cpe:2.3:a:hyland:onbase:20.0.0.0
-
cpe:2.3:a:hyland:onbase:20.3.10.1000
-
cpe:2.3:a:hyland:onbase:21.1.1.1000
-
cpe:2.3:a:hyland:onbase:21.1.15.1000