/CVE-2020-15392

User Enumeration on Supravizio BPM 10.1.2

CVE-2020-15392
User Enumeration on Supravizio BPM 10.1.2

Description

A user enumeration vulnerability flaw was found in Supravizio BPM, version 10.1.2. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

Exploitation

To exploit this vulnerability, it is necessary to request a password recovery, when adding a invalid contact email the message: "email not found" is displayed and when an valid email: "contact the system administrator".

PoC

  • Invalid User


  • Valid User


  • Brute Force - Invalid User


  • Brute Force - Valid User