SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2014-10-16T19:00:00
Updated: 2018-10-09T18:57:01
Reserved: 2014-10-16T00:00:00
Link: CVE-2014-8309
JSON object: View
NVD Information
Status : Modified
Published: 2014-10-16T19:55:19.817
Modified: 2018-10-09T19:53:43.027
Link: CVE-2014-8309
JSON object: View
Redhat Information
No data.
CWE