CVE-2022-22520
User enumeration vulnerability in MB connect line and Helmholz products
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.
Un atacante remoto no autenticado puede enumerar usuarios válidos mediante el envío de peticiones específicas al webservice de la línea de conexión MB mymbCONNECT24, mbCONNECT24 y Helmholz myREX24 y myREX24.virtual en todas las versiones hasta v2.11.2
*Credits:
SySS GmbH reported this vulnerability to Helmholz. Helmholz reported this vulnerability to MB connect line. CERT@VDE coordinated with Helmholz & MB connect line.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-03 CVE Reserved
- 2022-09-14 CVE Published
- 2024-03-30 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-204: Observable Response Discrepancy
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-011 | Third Party Advisory | |
| https://cert.vde.com/en/advisories/VDE-2022-039 | Not Applicable |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mbconnectline Search vendor "Mbconnectline" | Mbconnect24 Search vendor "Mbconnectline" for product "Mbconnect24" | <= 2.11.2 Search vendor "Mbconnectline" for product "Mbconnect24" and version " <= 2.11.2" | - |
Affected
| ||||||
| Mbconnectline Search vendor "Mbconnectline" | Mymbconnect24 Search vendor "Mbconnectline" for product "Mymbconnect24" | <= 2.11.2 Search vendor "Mbconnectline" for product "Mymbconnect24" and version " <= 2.11.2" | - |
Affected
| ||||||
| Helmholz Search vendor "Helmholz" | Myrex24 Search vendor "Helmholz" for product "Myrex24" | <= 2.11.2 Search vendor "Helmholz" for product "Myrex24" and version " <= 2.11.2" | - |
Affected
| ||||||
| Helmholz Search vendor "Helmholz" | Myrex24.virtual Search vendor "Helmholz" for product "Myrex24.virtual" | <= 2.11.2 Search vendor "Helmholz" for product "Myrex24.virtual" and version " <= 2.11.2" | - |
Affected
| ||||||