CVE-2020-26526

Vulnerability

An issue exists in Damstra Smart Asset version 2020.7 where the login page returns different server responses for invalid versus valid usernames. An invalid username triggers the message "Unable to find an APIDomain for the email [username], please contact your system administrator," while a valid username (with incorrect password) results in "Login Failed! Wrong email or password." This difference allows an attacker to enumerate valid usernames. [1] [2]

Exploitation

An unauthenticated attacker can send login POST requests with candidate usernames. By comparing the server's response (either the "APIDomain" error or the generic login failure message), the attacker can determine whether a given username exists on the system. No authentication or special privileges are required; the attack is straightforward and requires only standard HTTP request capabilities. [2]

Impact

Successful username enumeration provides an attacker with a list of valid usernames, which can be used as a stepping stone for further attacks such as password guessing or credential stuffing. This information disclosure does not directly compromise data or system integrity, but it significantly reduces the effort needed for targeted login attempts. [1] [2]

Mitigation

The vulnerability is present in Damstra Smart Asset 2020.7 and potentially earlier versions. As of the publication date, no patch or fixed version has been disclosed in the available references. A workaround is to implement generic error messages that do not distinguish between valid and invalid usernames, such as always returning "Invalid username or password." [2]