Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and session-forgery attacks.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and session-forgery attacks. | |
| Title | Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences | |
| Weaknesses | CWE-204 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T17:23:20.688Z
Reserved: 2026-07-10T15:43:36.626Z
Link: CVE-2026-61503
No data.
No data.
No data.
OpenCVE Enrichment
No data.