Primary

Context

Aranda PassRecovery Active Directory User Enumeration Vulnerability

Vulnerability

A user enumeration vulnerability has been identified in Aranda PassRecovery version 1.0. This issue allows attackers to verify the validity of Active Directory user accounts by sending a specially crafted POST request to the '/user/existdirectory/1' endpoint.

Impact

Exploitation of this vulnerability allows for user enumeration, enabling attackers to identify valid Active Directory accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the '/APRAPI//api/v1/user/existdirectory/1' endpoint. Include the Active Directory username in the request body as a JSON string. The response will indicate whether the username is valid or not.

Added: Sep 26, 2025, 6:19 PM

Updated: Sep 26, 2025, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Aranda PassRecovery Active Directory User Enumeration Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating