Problem:
When visiting the login page, it provides autocomplete of username. The entire list of users is downloaded using an API call in the background, leaking all the valid users. Information Leakage in the web interface allows Information Disclosure when the attacker visits the login page of the web interface. Although this is a minor issue, it does pose a security risk by exposing usernames that can later be used in a brute-force attack.
Fix:
This is today considered bad security practice, and that is why we have removed the feature from Connection Suite 3.0.0 and later. Dualog Connection Suite 3.0 was released on December 8, 2020. See Connection Suite 3.0 release notes here.
Source
This vulnerability was found by PenTestPartners (PTP) during a random security testing.
Comments
Article is closed for comments.