CVE-2013-6020

Tyler Technologies TaxWeb 3.13.3.1 - User Enumeration via Password Recovery Status Code

Title source: llm
STIX 2.1

Description

passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends different HTTP status codes for invalid password-recovery requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests to the (1) Assessor, (2) Recorder, or (3) Treasurer application.

References (1)

Core 1
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/911678

Scores

EPSS 0.0128
EPSS Percentile 66.6%

Details

CWE
CWE-200
Status published
Products (1)
tylertech/taxweb 3.13.3.1
Published Oct 28, 2013
Tracked Since Feb 18, 2026