CVE-2020-35398: UTI Mutual fund Android Application- Username Enumeration

Vulnerable Software: UTI Mutual fund Android Application

Vulnerability: Username Enumeration

Affected Version: 5.4.28

Patch: Not Released (03-December-2021)

Vendor Homepage:

CVE: CVE-2020-11561

CVE Author: Tejas Nitin Pingulkar

Exploit Available: POC available

About Affected Software

Investing in Mutual Funds is now easy with the UTI MF (UTI Mutual Funds) App. It gives you a hassle-free experience to invest in any mutual fund scheme of your choice from anywhere, anytime with just a few clicks. The paperless transactions allow new investors to start a SIP or invest a lumpsum with ease.


Input an incorrect username (one that don’t exist), the application will respond with an error message “we are unable to recognize the use user id entered” were as if the valid username is entered and invalid password is provided application responds with “the password entered is incorrect” which assist attacker to enumerate valid usernames 

Proof Of Concept

First screenshot shows that user exist

Second screenshot shows that user does not exist

CVE-2020-35398: UTI Mutual fund Android Application- Username Enumeration

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to top