CVE-2009-1803

FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
freepbxfreepbx
2.4
freepbxfreepbx
2.4.0_beta1:_beta1
freepbxfreepbx
2.4.0_beta2:_beta2
freepbxfreepbx
2.4.1
freepbxfreepbx
2.5
freepbxfreepbx
2.5.0_beta1:_beta1
freepbxfreepbx
2.5.0rc2:rc2
freepbxfreepbx
2.5.0rc3:rc3
freepbxfreepbx
2.5.1
freepbxfreepbx
2.5.2
sangomafreepbx
2.4.0
sangomafreepbx
2.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://freepbx.org/trac/ticket/3660
http://secunia.com/advisories/34772
http://www.osvdb.org/54263
http://www.securityfocus.com/bid/34857
http://freepbx.org/trac/ticket/3660
http://secunia.com/advisories/34772
http://www.osvdb.org/54263
http://www.securityfocus.com/bid/34857