CVE-2017-16629

In SapphireIMS 4097_1, it is possible to guess the registered/active usernames of the software from the errors it gives out for each type of user on the Login form. For "Incorrect User" - it gives an error "The application failed to identify the user. Please contact administrator for help." For "Correct User and Incorrect Password" - it gives an error "Authentication failed. Please login again."

Published: Aug 11, 2021
Updated: Apr 13, 2023
CVE: CVE-2017-16629
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-209

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
sapphireims / sapphireims	4097_1	4097_1.x

https://vuln.shellcoder.party/2020/07/18/cve-2017-16629-sapphireims-login-page-information-disclosure/
https://vuln.shellcoder.party/tags/sapphireims/

Vulnerability Database

CVE-2017-16629