CVE-2013-6020 Information

Description

passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends different HTTP status codes for invalid password-recovery requests depending on whether the user account exists which allows remote attackers to enumerate account names via a series of requests to the (1) Assessor (2) Recorder or (3) Treasurer application.

Reference

http://www.kb.cert.org/vuls/id/911678