{"vulnerability": "CVE-2020-11625", "sightings": [{"uuid": "814da383-a6f3-43e2-8702-3da1b2f7c041", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-11625", "type": "seen", "source": "https://bsky.app/profile/f5labs.bsky.social/post/3lrtrw2tjm22f", "content": "", "creation_timestamp": "2025-06-18T00:47:12.746758Z"}, {"uuid": "e4f1965b-3df1-4353-8994-ee75d188478c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-11625", "type": "seen", "source": "https://t.me/cibsecurity/13640", "content": "ATENTION\u203c New - CVE-2020-11625\n\nAn issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. Failed web UI login attempts elicit different responses depending on whether a user account exists. Because the responses indicate whether a submitted username is valid or not, they make it easier to identify legitimate usernames. If a login request is sent to ISAPI/Security/sessionLogin/capabilities using a username that exists, it will return the value of the salt given to that username, even if the password is incorrect. However, if a login request is sent using a username that is not present in the database, it will return an empty salt value. This allows attackers to enumerate legitimate usernames, facilitating brute-force attacks. NOTE: this is different from CVE-2020-7057.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-07-24T00:55:20.000000Z"}]}