Abstract Advisory Information


DualShield 5.9.8.0821 allows username enumeration on its login form. A valid username will ask for

the password when an invalid one will produce a “unknown username” error message.

Author: Excellium Services

Version affected


Name: DualShield

Version: 5.9.8.0821

Common Vulnerability Scoring System


5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Patches


A fix is available in DualShield 6.0. The administrator must check the new checkbox

“Prevent login name guessing” in the authentication panel.

References


Vulnerability Disclosure Timeline


  • 2020/11/10: Vulnerability found in DualShield
  • 2020/11/11: Vulnerability reported to CERT-XLM
  • 2020/11/11: Vulnerability reported to Deepnet Security
  • 2020/11/16: Vulnerability fixed in DualShield version 6.0
  • 2020/11/17: CVE ID requested to MITRE
  • 2020/11/18: CVE ID Assigned by MITRE
  • 2021/02/09: Expected public vulnerability disclosure