CVE-2022-50800

Summary

H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts.

Affected Software

VendorProductVersion RangeStatus
Hangzhou H3C TechnologiesH3C SSL VPN1.1affected

Weaknesses

  • CWE-203: Observable Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References