CVE-2020-9389

low-risk

Published 2021-02-03

A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.

Do I need to act?

0.32% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Squaredup

Affected Vendors

Squaredup

References (4)

Broken Link https://support.squaredup.com/hc/en-us/articles/360017255858

Broken Link https://support.squaredup.com/hc/en-us/articles/360019427238-CVE-2020-9389-Usern...

Broken Link https://support.squaredup.com/hc/en-us/articles/360017255858

Broken Link https://support.squaredup.com/hc/en-us/articles/360019427238-CVE-2020-9389-Usern...

/ 100

low-risk

Severity 13/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal