The default login template (/vgn/login) in Vignette StoryServer 5 and Vignette V/5 generates different responses whether a user exists or not, which allows remote attackers to identify valid usernames via brute force attacks.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Content_suite | Vignette | 5.0 (including) | 5.0 (including) |
Content_suite | Vignette | 6.0 (including) | 6.0 (including) |
Content_suite | Vignette | 7.0 (including) | 7.0 (including) |
Storyserver | Vignette | 4.0 (including) | 4.0 (including) |
Storyserver | Vignette | 4.1 (including) | 4.1 (including) |
Storyserver | Vignette | 5.0 (including) | 5.0 (including) |
Vignette | Vignette | 5.0 (including) | 5.0 (including) |