CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-3XM3-C6M3-M8WF
Vulnerability from github – Published: 2025-10-14 03:30 – Updated: 2025-10-14 03:30A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability.
{
"affected": [],
"aliases": [
"CVE-2025-42903"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T01:15:32Z",
"severity": "MODERATE"
},
"details": "A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability.",
"id": "GHSA-3xm3-c6m3-m8wf",
"modified": "2025-10-14T03:30:57Z",
"published": "2025-10-14T03:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42903"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3656781"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-424X-CXVH-WQ9P
Vulnerability from github – Published: 2025-05-28 17:38 – Updated: 2025-05-28 20:08Summary
This advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames.
User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack.
Mitigation
Please update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.
Workarounds
None
If you have any questions or comments about this advisory: Email us at security@mautic.org
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "4.4.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-alpha"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-alpha"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47057"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T17:38:46Z",
"nvd_published_at": "2025-05-28T18:15:25Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThis advisory addresses a security vulnerability in Mautic related to the \"Forget your password\" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames.\n\nUser Enumeration via Timing Attack: A user enumeration vulnerability exists in the \"Forget your password\" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack.\n\n### Mitigation\nPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.\n\n### Workarounds\nNone\n\nIf you have any questions or comments about this advisory:\nEmail us at security@mautic.org",
"id": "GHSA-424x-cxvh-wq9p",
"modified": "2025-05-28T20:08:12Z",
"published": "2025-05-28T17:38:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-424x-cxvh-wq9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47057"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mautic allows user name enumeration due to response time difference on password reset form"
}
GHSA-43QQ-QW4X-28F8
Vulnerability from github – Published: 2022-10-18 21:14 – Updated: 2026-01-31 03:41TL;DR
This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.
Introduction
User enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
User enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.
Impact
Under normal circumstances, entering an invalid email address results in a "fake" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn't catch errors that occurred while the challenge request was processed:
- If the challenge itself runs into an error (e.g. if the email could not be sent), attackers could tell existing users (where the challenge code is called) from non-existing users (where the challenge code is not called and therefore does not output an error).
- If you are using the
user.login:failedhook and any exception is thrown within the hook, attackers could see that the user does not exist.
As long as no error occurs during challenge creation and during the processing of the user.login:failed hook, your Kirby sites are not affected by this vulnerability.
Patches
The problems have been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1 and Kirby 3.8.1. Please update to one of these or a later version to fix the vulnerability.
All of the mentioned releases contain two patches for this vulnerability:
- All errors that occur during the creation of an auth challenge (code-based login or password reset) are swallowed by the backend and only displayed to the user if debugging is enabled.
- We added a new
auth.debugoption that can be enabled separately from thedebugoption. If disabled, auth errors are only printed to the PHP error log. This ensures that security-critical errors are only displayed if they are really necessary for debugging.
Workarounds
We recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by setting the auth.methods option to password, which disables the code-based login and password reset forms.
However please note that your site will still be vulnerable against another user enumeration issue that was also fixed in the same patch releases.
Credits
Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.8.0"
]
}
],
"aliases": [
"CVE-2022-39314"
],
"database_specific": {
"cwe_ids": [
"CWE-204",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T21:14:04Z",
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "### TL;DR\n\nThis vulnerability only affects you if you are using the `code` or `password-reset` auth method with the `auth.methods` option. It can only be successfully exploited under server configuration conditions outside of the attacker\u0027s control.\n\n----\n\n### Introduction\n\nUser enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.\n\nUser enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.\n\n### Impact\n\nUnder normal circumstances, entering an invalid email address results in a \"fake\" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn\u0027t catch errors that occurred while the challenge request was processed:\n\n- If the challenge itself runs into an error (e.g. if the email could not be sent), attackers could tell existing users (where the challenge code is called) from non-existing users (where the challenge code is not called and therefore does not output an error).\n- If you are using the `user.login:failed` hook and any exception is thrown within the hook, attackers could see that the user does not exist.\n\nAs long as no error occurs during challenge creation and during the processing of the `user.login:failed` hook, your Kirby sites are *not* affected by this vulnerability.\n\n### Patches\n\nThe problems have been patched in [Kirby 3.5.8.2](https://github.com/getkirby/kirby/releases/tag/3.5.8.2), [Kirby 3.6.6.2](https://github.com/getkirby/kirby/releases/tag/3.6.6.2), [Kirby 3.7.5.1](https://github.com/getkirby/kirby/releases/tag/3.7.5.1) and [Kirby 3.8.1](https://github.com/getkirby/kirby/releases/tag/3.8.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nAll of the mentioned releases contain two patches for this vulnerability:\n\n- All errors that occur during the creation of an auth challenge (code-based login or password reset) are swallowed by the backend and only displayed to the user if debugging is enabled.\n- We added a new `auth.debug` option that can be enabled separately from the `debug` option. If disabled, auth errors are only printed to the PHP error log. This ensures that security-critical errors are only displayed if they are really necessary for debugging.\n\n### Workarounds\n\nWe recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by setting the `auth.methods` option to `password`, which disables the code-based login and password reset forms.\n\nHowever please note that your site will still be vulnerable against [another user enumeration issue](https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f) that was also fixed in the same patch releases.\n\n### Credits\n\nThanks to [Florian Merz](mailto:florian@hatchery.io) (@florianmrz) of [hatchery.io](https://www.hatchery.io/) for responsibly reporting the identified issue.",
"id": "GHSA-43qq-qw4x-28f8",
"modified": "2026-01-31T03:41:13Z",
"published": "2022-10-18T21:14:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39314"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms"
}
GHSA-466P-J3VQ-MWQ3
Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30IBM Control Center 6.2.1 and 6.3.1
could allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.
{
"affected": [],
"aliases": [
"CVE-2024-35114"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-25T14:15:29Z",
"severity": "MODERATE"
},
"details": "IBM Control Center 6.2.1 and 6.3.1 \n\n\n\n\n\ncould allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts.",
"id": "GHSA-466p-j3vq-mwq3",
"modified": "2025-01-25T15:30:31Z",
"published": "2025-01-25T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35114"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7174842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4C58-M4CG-6H2F
Vulnerability from github – Published: 2026-04-14 03:31 – Updated: 2026-04-14 03:31During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
{
"affected": [],
"aliases": [
"CVE-2026-34264"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T01:16:04Z",
"severity": "MODERATE"
},
"details": "During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.",
"id": "GHSA-4c58-m4cg-6h2f",
"modified": "2026-04-14T03:31:40Z",
"published": "2026-04-14T03:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34264"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3680767"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FQ5-58J6-9QPH
Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login attempt.
{
"affected": [],
"aliases": [
"CVE-2023-35698"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T16:15:52Z",
"severity": "MODERATE"
},
"details": "Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login\nattempt.",
"id": "GHSA-4fq5-58j6-9qph",
"modified": "2026-06-01T15:30:31Z",
"published": "2023-07-10T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35698"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G8M-5MJ5-C8XG
Vulnerability from github – Published: 2025-05-06 16:38 – Updated: 2025-05-06 19:57Impact
Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists.
Patches
Patched in 10.8.10 and 13.8.1.
Workarounds
None available.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-rc1"
},
{
"fixed": "13.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.8.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46736"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-06T16:38:55Z",
"nvd_published_at": "2025-05-06T17:16:12Z",
"severity": "MODERATE"
},
"details": "### Impact\nBased on an analysis of the timing of post login API responses, it\u0027s possible to determine whether an account exists.\n\n### Patches\nPatched in 10.8.10 and 13.8.1.\n\n### Workarounds\nNone available.",
"id": "GHSA-4g8m-5mj5-c8xg",
"modified": "2025-05-06T19:57:06Z",
"published": "2025-05-06T16:38:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4g8m-5mj5-c8xg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46736"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/14fbd20665b453cbf094ccf4575b79a9fba07e03"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/34709be6cce9752dfa767dffbf551305f48839bc"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco Makes User Enumeration Feasible Based on Timing of Login Response"
}
GHSA-4GRF-X53V-R95X
Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2024-05-03 18:30IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.
{
"affected": [],
"aliases": [
"CVE-2021-20556"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T18:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.",
"id": "GHSA-4grf-x53v-r95x",
"modified": "2024-05-03T18:30:37Z",
"published": "2024-05-03T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20556"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199181"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7149876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-552F-97WF-PMPQ
Vulnerability from github – Published: 2024-03-20 17:54 – Updated: 2025-02-12 18:19Impact
A user enumeration attack is possible.
Affected versions
Umbraco 10 with access to the native login screen
Patches
This is fixed in 10.8.5
Workarounds
Disabling the native login screen, by exclusively use external logins.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "UmbracoCMS"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28868"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-20T17:54:35Z",
"nvd_published_at": "2024-03-20T20:15:09Z",
"severity": "LOW"
},
"details": "### Impact\nA user enumeration attack is possible.\n\n### Affected versions\nUmbraco 10 with access to the native login screen\n\n### Patches\nThis is fixed in 10.8.5\n\n\n### Workarounds\nDisabling the native login screen, by exclusively use external logins.",
"id": "GHSA-552f-97wf-pmpq",
"modified": "2025-02-12T18:19:44Z",
"published": "2024-03-20T17:54:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28868"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco possible user enumeration "
}
GHSA-56J3-W2R5-QGXQ
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.
{
"affected": [],
"aliases": [
"CVE-2018-25350"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-23T19:16:55Z",
"severity": "CRITICAL"
},
"details": "userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the \u0027taken\u0027 string to identify existing accounts in the system.",
"id": "GHSA-56j3-w2r5-qgxq",
"modified": "2026-05-26T13:30:27Z",
"published": "2026-05-26T13:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25350"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44872"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/userspice-username-enumeration-via-existingusernamecheck-php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.