SpinetiX Fusion Digital Signage Username Enumeration Vulnerability
Vulnerability
A username enumeration vulnerability has been identified in SpinetiX Fusion Digital Signage version 3.4.8. This vulnerability resides in the login script, where the application inadvertently allows attackers to differentiate between valid and invalid usernames based on the server's error response. By sending login requests with various usernames and analyzing the feedback, attackers can compile a list of existing accounts.
Impact
Exploitation of this vulnerability allows for the enumeration of valid usernames, which could be a precursor to targeted attacks such as password guessing or phishing.
Reproduction
To reproduce this vulnerability, send a POST request to the login endpoint with a username that does not exist. The response will indicate that the username is incorrect. Then, send another POST request with a valid username but an incorrect password. The response will confirm that the password is incorrect. This discrepancy in error messages can be used to identify valid usernames.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.