CVE-2020-35398: UTI Mutual fund Android Application- Username Enumeration
Vulnerable Software: UTI Mutual fund Android Application Vulnerability: Username Enumeration Affected Version: 5.4.28 Patch: Not Released (03-December-2021) Vendor Homepage: https://utimf.com/ CVE: CVE-2020-11561 CVE Author: Tejas Nitin Pingulkar Exploit Available: POC available About Affected Software Investing in Mutual Funds is now easy with the UTI MF (UTI Mutual Funds) App. It gives you a hassle-free experience to invest in any mutual fund scheme of your choice from anywhere, anytime with just a few clicks. The paperless transactions allow new investors to start a SIP or invest a lumpsum with ease. Exploit Input an incorrect username (one that don't exist), the application will respond with an error message "we are unable to recognize the use user id entered" were as if the valid username is entered and invalid password is provided application responds with "the password entered is incorrect" which assist attacker to enumerate v