CVE-2025-56132 (CNNVD-202509-4443)
中文标题:
Liquidfiles 安全漏洞
英文标题:
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset func...
漏洞描述
中文描述:
Liquidfiles是美国Liquidfiles公司的一个用于公司和组织的大型安全文件传输和共享的存储服务。 Liquidfiles 4.2之前版本存在安全漏洞,该漏洞源于密码重置功能返回可区分响应,可能导致用户枚举攻击。
英文描述:
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| liquidfiles | liquidfiles | * | - | - |
cpe:2.3:a:liquidfiles:liquidfiles:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-56132 |
2025-11-11 15:23:29 | 2025-11-11 07:40:44 |
| NVD | nvd_CVE-2025-56132 |
2025-11-11 15:01:04 | 2025-11-11 07:48:31 |
| CNNVD | cnnvd_CNNVD-202509-4443 |
2025-11-11 15:12:59 | 2025-11-11 08:00:14 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-4443
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']