Password policy evasion in products of MB connect line and Helmholz
CVE-2021-34574

4.3MEDIUM

Key Information:

Vendor: Mb Connect Line
Status: Mymbconnect24; Mbconnect24; Myrex24; Myrex24.virtual
Vendor: CVE Published:; 2 August 2021

🔔 Create Mb Connect Line Vulnerability Alert

What is CVE-2021-34574?

In MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2 an authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the server.

Affected Version(s)

mbCONNECT24 2 <= 2.11.2

mymbCONNECT24 2 <= 2.11.2

myREX24 2 <= 2.11.2

References

https://cert.vde.com/en/advisories/VDE-2022-039

x_refsource_CONFIRM

https://cert.vde.com/en/advisories/VDE-2021-030

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2021
Vulnerability Reserved
Jun 10, 2021

Credit

OTORIO reported the vulnerabilities to MB connect line.