FKIE_CVE-2025-56132

Vulnerability from fkie_nvd - Published: 2025-09-30 19:15 - Updated: 2025-10-15 18:38
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
References
cve@mitre.orghttps://docs.liquidfiles.com/release_notes/version_4-2-x.htmlRelease Notes
cve@mitre.orghttps://www.liquidfiles.com/updates/v4.2.htmlRelease Notes
Impacted products
Vendor Product Version
liquidfiles liquidfiles *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:liquidfiles:liquidfiles:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C755FFB-F752-48C3-ACE4-27711E8E40A2",
              "versionEndExcluding": "4.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying."
    },
    {
      "lang": "es",
      "value": "El servidor de transferencia de archivos LiquidFiles es vulnerable a un problema de enumeraci\u00f3n de usuarios en su funcionalidad de restablecimiento de contrase\u00f1a. La aplicaci\u00f3n devuelve respuestas distinguibles para direcciones de correo electr\u00f3nico v\u00e1lidas e inv\u00e1lidas, permitiendo a atacantes no autenticados determinar la existencia de cuentas de usuario. La versi\u00f3n 4.2 introduce mecanismos de bloqueo basados en el usuario para mitigar ataques de fuerza bruta; la enumeraci\u00f3n de usuarios sigue siendo posible por defecto. En versiones anteriores a la 4.2, no existe tal protecci\u00f3n a nivel de usuario, solo se aplica una limitaci\u00f3n de velocidad b\u00e1sica basada en IP. Esta protecci\u00f3n basada en IP puede ser eludida distribuyendo solicitudes a trav\u00e9s de m\u00faltiples IPs (por ejemplo, IP rotatoria o proxies). Eludiendo eficazmente los controles de seguridad tanto de inicio de sesi\u00f3n como de restablecimiento de contrase\u00f1a. La explotaci\u00f3n exitosa permite a un atacante enumerar direcciones de correo electr\u00f3nico v\u00e1lidas registradas para la aplicaci\u00f3n, aumentando el riesgo de ataques posteriores como el \u0027password spraying\u0027 (pulverizaci\u00f3n de contrase\u00f1as)."
    }
  ],
  "id": "CVE-2025-56132",
  "lastModified": "2025-10-15T18:38:42.897",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-30T19:15:37.253",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.liquidfiles.com/release_notes/version_4-2-x.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.liquidfiles.com/updates/v4.2.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-305"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.