CVE-2023-37635

An unauthenticated, remote attacker can send an arbitrary number of login requests to the `/public/en/member/login` endpoint without any rate limiting or account lockout mechanism [ref_id=1]. By intercepting a login request (e.g., with Burp Suite), the attacker sets the password parameter as a payload position and runs a brute-force attack with many password candidates [ref_id=1]. Because the application does not disconnect the user after failed attempts, implement a timeout, or lock the targeted account, the attacker can eventually guess the correct password and gain authenticated access [ref_id=1].

The vulnerability affects the `memberLogin` component of UVDesk Community Skeleton v1.1.1, specifically the login page at `/public/en/member/login` [ref_id=1]. No patch or source code diff is provided in the bundle.

No patch is provided in the bundle. The advisory recommends implementing common brute-force protections: disconnecting the user after a small number of failed attempts, implementing a timeout, locking out a targeted account, or requiring a computational task (e.g., CAPTCHA) on the user's part [ref_id=1]. Without such controls, the login endpoint remains vulnerable to unlimited password guessing.

1. Navigate to `http://localhost/uvdesk-community/public/en/member/login` and enter a username and password. 2. Intercept the login request in Burp Suite and send it to the Intruder tab. 3. Set the password parameter as the payload position, craft 50+ password payloads, and start the attack. 4. Observe that the attack succeeds — a valid password is found and the application logs in successfully [ref_id=1].