ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901) | allinfosecnews.com

Feb. 4, 2022, midnight |

SpiderLabs Blog from Trustwave www.trustwave.com

During a recent engagement, Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

cve enumeration servicenow username username enumeration vulnerability

More from www.trustwave.com / SpiderLabs Blog from Trustwave

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies 2 days, 23 hours ago | www.trustwave.com

balance briefing charge cybersecurity +24

How to Create the Asset Inventory You Probably Don't Have 3 days, 23 hours ago | www.trustwave.com

asset asset inventory blog blog posts +10

Guardians of the Gateway: Identity and Access Management Best Practices 1 week, 3 days ago | www.trustwave.com

access access management best practices blog +16

Protecting Zion: InfoSec Encryption Concepts and Tips 2 weeks, 3 days ago | www.trustwave.com

blog blog posts can concepts +11

EDR – The Multi-Tool of Security Defenses 3 weeks, 3 days ago | www.trustwave.com

blog blog posts can cybersecurity +10

The Invisible Battleground: Essentials of EASM 3 weeks, 3 days ago | www.trustwave.com

attack attack surface attack surface management cyber +13

Fake Dialog Boxes to Make Malware More Convincing 4 weeks, 1 day ago | www.trustwave.com

dialog engagement fake loader +7

The Secret Cipher: Modern Data Loss Prevention Solutions 1 month ago | www.trustwave.com

automated can cipher data +18

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway 1 month ago | www.trustwave.com

alto arbitrary code attacker code +25

Information Security Engineers

@ D. E. Shaw Research | New York City

View on infosec-jobs.com

Technology Security Analyst

@ Halton Region | Oakville, Ontario, Canada

View on infosec-jobs.com

Senior Cyber Security Analyst

@ Valley Water | San Jose, CA

View on infosec-jobs.com

Consultant/Senior Consultant – Categoria Protetta L. 68/99

@ BIP | Italy

View on infosec-jobs.com

SoC Security Architect, Platform Architecture

@ Apple | San Diego, California, United States

View on infosec-jobs.com

Cloud Engineer II- SOC Analyst

@ Insight Enterprises, Inc. | Gurugram Gurgaon HR, IN

View on infosec-jobs.com