Account Enumeration Vulnerability in Tyler Technologies TaxWeb 3.13.3.1

CVE-2013-6020 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:N

passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends different HTTP status codes for invalid password-recovery requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests to the (1) Assessor, (2) Recorder, or (3) Treasurer application.

Learn more about our Web App Pen Testing.