Cybelesoft: >> Thinfinity Virtualui >> 2.5.41.0 Security Vulnerabilities
Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-12-20
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
CVSS Score
9.8
EPSS Score
0.789
Published
2021-12-16
In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.
CVSS Score
5.3
EPSS Score
0.246
Published
2021-12-13