CVE-2019-10848

Vulnerability

Computrols CBAS version 18.0.0 suffers from a username enumeration vulnerability. The login endpoint responds differently depending on whether the submitted username exists, enabling an attacker to distinguish valid from invalid usernames. This affects the CBAS web interface as per the advisory [1].

Exploitation

An attacker can exploit this by sending login requests with candidate usernames and observing the server's response (e.g., different error messages or response times). No authentication or prior access is required; the attacker only needs network connectivity to the CBAS web application. A proof-of-concept demonstrates this behavior [3].

Impact

Successful exploitation allows an attacker to compile a list of valid usernames. This information can be used as a stepping stone for further attacks such as password guessing, brute-force credential attempts, or targeted social engineering against known accounts. The vulnerability alone does not grant system access, but it reduces the attack surface for subsequent compromise.

Mitigation

As of the available references, no official patch or workaround has been disclosed for CBAS 18.0.0. Users should contact Computrols for updates. The advisory notes that later versions may address the issue; version 19.0.0 is mentioned in one reference [3] but no explicit fix is confirmed. Until a patch is available, implement network access controls and monitor login attempts to detect enumeration activity.