CVE-2017-8055
MEDIUMWatchGuard Fireware < 11.2.1 - User Enumeration via XML-RPC Login Handler
Title source: llmDescription
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could exploit this vulnerability to enumerate valid usernames on an affected Firebox.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt
Vendor Advisory x_refsource_misc
http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000KlGSAU
Release Notes, Vendor Advisory x_refsource_misc
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html
Scores
CVSS v3
5.3
EPSS
0.0159
EPSS Percentile
72.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-203
Status
published
Products (1)
watchguard/fireware
< 11.2.1
Published
Apr 22, 2017
Tracked Since
Feb 18, 2026