Fvega1
commented
2 years ago Hi Daniel,
Thanks for pointing that out. The versions you have listed are quite old, and, fortunately, this vulnerability was fixed in v3.0.
Please, let me know if you find anything else !
Dear Cybele Software,
My name is Daniel Morales, from the IT Security Team of ARHS Spikeseed.
I recently found a vulnerability in Thinfinity VirtualUI that allows a malicious actor to enumerate users registered in the OS (Windows) through /changePassword
How it works By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt
Payload The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
Vulnerable versions It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.