CVE-2020-28918

CVE-2020-28918

by Excellium SA

Abstract Advisory Information

DualShield 5.9.8.0821 allows username enumeration on its login form. A valid username will ask for
the password when an invalid one will produce a “unknown username” error message.

Authors: Excellium Services

Version affected

Name: DualShield
Version: 5.9.8.0821

Common Vulnerability Scoring System

5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Patches

A fix is available in DualShield 6.0. The administrator must check the new checkbox
“Prevent login name guessing” in the authentication panel.

References

https://support.deepnetsecurity.com/
https://nvd.nist.gov/vuln/detail/CVE-2020-28918

Vulnerability Disclosure Timeline

  • 2020/11/10: Vulnerability found in DualShield
  • 2020/11/11: Vulnerability reported to CERT-XLM
  • 2020/11/11: Vulnerability reported to Deepnet Security
  • 2020/11/16: Vulnerability fixed in DualShield version 6.0
  • 2020/11/17: CVE ID requested to MITRE
  • 2020/11/18: CVE ID Assigned by MITRE
  • 2021/02/09: Expected public vulnerability disclosure
Top