Login Bruteforce

Login Brute Force on Login Page 

Login BruteForce 

Vendor of the product(s) – UVDesk 

 Product Name – Community Skeleton v1.1.1 

 URL of the Producthttps://github.com/uvdesk/community-skeleton  

 Affected component(s) – memberLogin 

 Attack vector(s) – Remote 

 Suggested description of the vulnerability for use in the CVE –  UVDesk Community v1.1.1 allows and unauthenticated, remote attacker to perform login brute-force password on login pages. 

 Discoverer/Credit – Sahil Dari 

Title: Login Brute Force on Login Page 


A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information. 

eSecForte Technologies Security Researcher – Sahil Dari reported a Login Brute Force 

Description : UVDesk Community v1.1.1 allows and unauhenticated, remote attacker to perform login brute-force password on login pages. 

Platform/Product: UVDesk Community Skeleton v1.1.1 

Vulnerability Name: Brute Force on Login Page 

Affected Component:memberLogin  

Attack Type: Authentication Errors 

Impact: An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account 

Recommendation: Common protection mechanisms include: 

  • Disconnecting the user after a small number of failed attempts. 
  • Implementing a timeout 
  • Locking out a targeted account 
  • Requiring a computational task on the user’s part. 

Affected ParameterLogin Page 

Affected URLhttp://localhost/uvdesk-community/public/en/member/login  

Methods of Exploitation: 

Steps to reproduce: – 

Step-1 Navigate to http://localhost/uvdesk-community/public/en/member/login and enter the username and password. 

Step-2 Intercept the request in the burp suite proxy tool. Send the request to Intruder tab for brute-force attack. 

Step-3 Using password as payload position craft 50+ payloads and start the attack. 

Step-4 The auditor noticed that the attack was successful. 

Step-5 Now show the request in the browser, the auditor noticed that the application is logged in successfully. 


Sahil Dari from eSec Forte Technologies Pvt. Ltd.