CVE-2021-44848
published 2021-12-13CVE-2021-44848: In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username…
PriorityP349medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
23.14%
97.5th percentile
In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybelesoft | thinfinity_virtualui | < 3.0 | 3.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /changePassword with a 'username' query parameter — differing response bodies (rc/msg fields) between valid and invalid usernames indicate active enumeration attempts. ↗
- →Use regex matchers on HTTP 200 responses to /changePassword to detect enumeration: look for both '"rc":(.*?)' and '"msg":"(.*?)"' fields in the response body. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed Thinfinity VirtualUI instances as potential targets: shodan-query 'http.title:"thinfinity virtualui"', fofa 'title="thinfinity virtualui"', google 'intitle:"thinfinity virtualui"'. ↗
- →Common target usernames for enumeration against this endpoint include 'administrator', 'admin', and 'guest' — flag repeated requests cycling through these values. ↗
- ·Error messages returned by /changePassword may vary by language depending on the VirtualUI server configuration, which could affect string-based detection signatures. ↗
- ·The vulnerability affects Thinfinity VirtualUI versions before 3.0; instances running v3.0 or later are not affected and should not trigger this detection. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
exploitdb·2021-12-16·CVSS 5.3
CVE-2021-44848 [MEDIUM] Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
---
# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
# Date: 13/12/2021
# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
# Vendor Homepage: https://www.cybelesoft.com
# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
# Version: vulnerable < v3.0
# Tested on: Microsoft Windows
# CVE: CVE-2021-44848
How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced
Nuclei
Thinfinity Iframe Injection
nuclei·CVSS 5.3
CVE-2021-45092 [MEDIUM] Thinfinity Iframe Injection
Thinfinity Iframe Injection
A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
Template:
id: CVE-2021-45092
info:
name: Thinfinity Iframe Injection
author: danielmofer
severity: critical
description: A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential remote code execution.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the vulnerability.
reference:
- https://github.com/cybelesoft/virtualui/issues/2
- http
Nuclei
Thinfinity VirtualUI User Enumeration
nuclei·CVSS 5.3
CVE-2021-44848 [MEDIUM] Thinfinity VirtualUI User Enumeration
Thinfinity VirtualUI User Enumeration
Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
Template:
id: CVE-2021-44848
info:
name: Thinfinity VirtualUI User Enumeration
author: danielmofer
severity: medium
description: Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
impact: |
An attacker can use the gathered usernames for further attacks, such as brute-forcing passwords or launching targeted phishing campaigns.
remediation: |
Apply the vendor-supplied patch or upgrade to the latest version of Thinfinity Virtual
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165327/Cibele-Thinfinity-VirtualUI-2.5.41.0-User-Enumeration.htmlhttps://github.com/cybelesoft/virtualui/issues/1http://packetstormsecurity.com/files/165327/Cibele-Thinfinity-VirtualUI-2.5.41.0-User-Enumeration.htmlhttps://github.com/cybelesoft/virtualui/issues/1
2021-12-13
Published