CVE-2020-28206

{"id": "CVE-2020-28206", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-12-02T19:15:11.713", "references": [{"url": "https://justrealstag.medium.com/user-enumeration-improper-restriction-of-excessive-authentication-attempts-in-bitrix-98933a97e0e6", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An \"User enumeration and Improper Restriction of Excessive Authentication Attempts\" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Bitrix24 Bitrix Framework (administraci\u00f3n de sitio 1c) versi\u00f3n 20.0. Se presenta una vulnerabilidad de tipo \"User enumeration and Improper Restriction of Excessive Authentication Attempts\" en el formulario de inicio de sesi\u00f3n del administrador, permitiendo a un usuario remoto enumerar usuarios en el grupo de administradores. Esto tambi\u00e9n permite ataques de fuerza bruta sobre las contrase\u00f1as de usuarios que no est\u00e1n en el grupo de administradores"}], "lastModified": "2020-12-04T02:31:55.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bitrix24:bitrix_framework:20.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E18D083D-47E8-406D-9D1C-8CE1688130AE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}