IntelliChoice eFORCE Software Suite Username Enumeration

Advisories

severity: medium
date: December 9, 2025
Affecting: 2.5.9.6
2.5.9.5
2.5.9.3
2.5.9.2
2.5.9.1
2.5.8.0
2.5.7.20
2.5.7.18
2.5.6.18
2.5.4.6
2.5.3.11
CVE: CVE-2021-47717
CWE: CWE-204 Observable Response Discrepancy
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-50164
EFORCE Software Homepage
Zero Science Lab Disclosure (ZSL-2021-5658)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information.