CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-579X-CJVR-CQJ9
Vulnerability from github – Published: 2021-09-20 19:53 – Updated: 2021-09-17 18:38Impact
It is possible to enumerate usernames via the forgot password functionality
Patches
Update to version 10.1.3 or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch
Workarounds
Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39189"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-17T18:38:47Z",
"nvd_published_at": "2021-09-15T14:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIt is possible to enumerate usernames via the forgot password functionality\n\n### Patches\nUpdate to version `10.1.3` or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch\n\n### Workarounds\nApply https://github.com/pimcore/pimcore/pull/10223.patch manually. \n",
"id": "GHSA-579x-cjvr-cqj9",
"modified": "2021-09-17T18:38:47Z",
"published": "2021-09-20T19:53:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39189"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/10223.patch"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Observable Response Discrepancy in Lost Password Service"
}
GHSA-59MP-P3M2-6WR7
Vulnerability from github – Published: 2026-07-01 15:35 – Updated: 2026-07-06 15:30MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
{
"affected": [],
"aliases": [
"CVE-2026-53908"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T13:17:45Z",
"severity": "MODERATE"
},
"details": "MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u00a0but may also affect other versions.",
"id": "GHSA-59mp-p3m2-6wr7",
"modified": "2026-07-06T15:30:45Z",
"published": "2026-07-01T15:35:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53908"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/07/CVE-2026-53902"
},
{
"type": "WEB",
"url": "https://mco.mycomplianceoffice.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5F5C-8RVC-J8WF
Vulnerability from github – Published: 2024-07-15 17:49 – Updated: 2024-07-15 21:39Summary
HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application.
The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an application could reasonably assume OPA controls apply to all HTTP methods, and it bypasses more sophisticated policies.
Details
OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against any policy:
https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80
If an application provides different responses to HTTP OPTIONS requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application (CWE-204).
PoC
This toy application is based on the behaviour of an app[^1] which can use fastapi-opa. The app uses the Allow header of a HTTP OPTIONS to indicate whether an entity is writable on a "system" level, and returns HTTP 404 for unknown entities:
[^1]: an open source app, not written by me
# Run with: fastapi dev opa-poc.py --port 9999
from fastapi import FastAPI, Response, HTTPException
from fastapi_opa import OPAConfig, OPAMiddleware
from fastapi_opa.auth.auth_api_key import APIKeyAuthentication, APIKeyConfig
# OPA doesn't actually need to be running for this example
opa_host = "http://localhost:8181"
api_key_config = APIKeyConfig(
header_key = 'ApiKey',
api_key = 'secret-key',
)
api_key_auth = APIKeyAuthentication(api_key_config)
opa_config = OPAConfig(authentication=api_key_auth, opa_host=opa_host)
app = FastAPI()
app.add_middleware(OPAMiddleware, config=opa_config)
WRITABLE_ITEMS = {
1: True,
2: False,
}
@app.get("/")
async def root() -> dict:
return {"msg": "success"}
@app.get("/items/{item_id}")
async def read_item(item_id: int):
if item_id not in WRITABLE_ITEMS:
raise HTTPException(status_code=404)
return {"item_id": item_id}
@app.options("/items/{item_id}")
async def read_item_options(response: Response, item_id: int) -> dict:
if item_id not in WRITABLE_ITEMS:
raise HTTPException(status_code=404)
response.headers["Allow"] = "OPTIONS, GET" + (", POST" if WRITABLE_ITEMS[item_id] else "")
return {}
As expected, HTTP GET requests fail consistently when unauthenticated, regardless of whether the entity exists, because read_item() is never executed:
$ curl -i 'http://localhost:9999/items/1'
HTTP/1.1 401 Unauthorized
server: uvicorn
content-length: 26
content-type: application/json
{"message":"Unauthorized"}
$ curl -i 'http://localhost:9999/items/3'
HTTP/1.1 401 Unauthorized
server: uvicorn
content-length: 26
content-type: application/json
{"message":"Unauthorized"}
However, HTTP OPTIONS requests are never authenticated by OpaMiddleware, so are passed straight through to read_item_options() and returned to unauthenticated users:
$ curl -i -X OPTIONS 'http://localhost:9999/items/1'
HTTP/1.1 200 OK
server: uvicorn
content-length: 2
content-type: application/json
allow: OPTIONS, GET, POST
{}
$ curl -i -X OPTIONS 'http://localhost:9999/items/2'
HTTP/1.1 200 OK
server: uvicorn
content-length: 2
content-type: application/json
allow: OPTIONS, GET
{}
$ curl -i -X OPTIONS 'http://localhost:9999/items/3'
HTTP/1.1 404 Not Found
server: uvicorn
content-length: 22
content-type: application/json
{"detail":"Not Found"}
Versions
fastapi-opa==2.0.0
fastapi==0.111.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fastapi-opa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40627"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-15T17:49:25Z",
"nvd_published_at": "2024-07-15T20:15:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nHTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application.\n\nThe maintainer uncertain whether this should be classed as a \"bug\" or \"security issue\" \u2013 but is erring on the side of \"security issue\" as an application could reasonably assume OPA controls apply to *all* HTTP methods, and it bypasses more sophisticated policies.\n\n### Details\n\n`OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy:\n\nhttps://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80\n\nIf an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application (CWE-204).\n\n### PoC\n\nThis toy application is based on the behaviour of an app[^1] which can use `fastapi-opa`. The app uses the `Allow` header of a HTTP `OPTIONS` to indicate whether an entity is writable on a \"system\" level, and returns HTTP 404 for unknown entities:\n\n[^1]: an open source app, not written by me\n\n```python\n# Run with: fastapi dev opa-poc.py --port 9999\nfrom fastapi import FastAPI, Response, HTTPException\nfrom fastapi_opa import OPAConfig, OPAMiddleware\nfrom fastapi_opa.auth.auth_api_key import APIKeyAuthentication, APIKeyConfig\n\n# OPA doesn\u0027t actually need to be running for this example\nopa_host = \"http://localhost:8181\"\napi_key_config = APIKeyConfig(\n header_key = \u0027ApiKey\u0027,\n api_key = \u0027secret-key\u0027,\n)\napi_key_auth = APIKeyAuthentication(api_key_config)\nopa_config = OPAConfig(authentication=api_key_auth, opa_host=opa_host)\n\napp = FastAPI()\napp.add_middleware(OPAMiddleware, config=opa_config)\n\nWRITABLE_ITEMS = {\n 1: True,\n 2: False,\n}\n\n\n@app.get(\"/\")\nasync def root() -\u003e dict:\n return {\"msg\": \"success\"}\n\n@app.get(\"/items/{item_id}\")\nasync def read_item(item_id: int):\n if item_id not in WRITABLE_ITEMS:\n raise HTTPException(status_code=404)\n return {\"item_id\": item_id}\n\n@app.options(\"/items/{item_id}\")\nasync def read_item_options(response: Response, item_id: int) -\u003e dict:\n if item_id not in WRITABLE_ITEMS:\n raise HTTPException(status_code=404)\n\n response.headers[\"Allow\"] = \"OPTIONS, GET\" + (\", POST\" if WRITABLE_ITEMS[item_id] else \"\")\n return {}\n```\n\nAs expected, HTTP `GET` requests fail consistently when unauthenticated, regardless of whether the entity exists, because `read_item()` is never executed:\n\n```\n$ curl -i \u0027http://localhost:9999/items/1\u0027\nHTTP/1.1 401 Unauthorized\nserver: uvicorn\ncontent-length: 26\ncontent-type: application/json\n\n{\"message\":\"Unauthorized\"}\n\n$ curl -i \u0027http://localhost:9999/items/3\u0027\nHTTP/1.1 401 Unauthorized\nserver: uvicorn\ncontent-length: 26\ncontent-type: application/json\n\n{\"message\":\"Unauthorized\"}\n```\n\nHowever, HTTP `OPTIONS` requests are never authenticated by `OpaMiddleware`, so are passed straight through to `read_item_options()` and returned to unauthenticated users:\n\n```\n$ curl -i -X OPTIONS \u0027http://localhost:9999/items/1\u0027\nHTTP/1.1 200 OK\nserver: uvicorn\ncontent-length: 2\ncontent-type: application/json\nallow: OPTIONS, GET, POST\n\n{}\n\n$ curl -i -X OPTIONS \u0027http://localhost:9999/items/2\u0027\nHTTP/1.1 200 OK\nserver: uvicorn\ncontent-length: 2\ncontent-type: application/json\nallow: OPTIONS, GET\n\n{}\n\n$ curl -i -X OPTIONS \u0027http://localhost:9999/items/3\u0027\nHTTP/1.1 404 Not Found\nserver: uvicorn\ncontent-length: 22\ncontent-type: application/json\n\n{\"detail\":\"Not Found\"}\n```\n\n### Versions\n\n```\nfastapi-opa==2.0.0\nfastapi==0.111.0\n```",
"id": "GHSA-5f5c-8rvc-j8wf",
"modified": "2024-07-15T21:39:12Z",
"published": "2024-07-15T17:49:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/busykoala/fastapi-opa/security/advisories/GHSA-5f5c-8rvc-j8wf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40627"
},
{
"type": "WEB",
"url": "https://github.com/busykoala/fastapi-opa/commit/9458845a6f6f414c0b79587fae83d7f14d74dfb4"
},
{
"type": "WEB",
"url": "https://github.com/busykoala/fastapi-opa/commit/9588109ff651f7ffc92687129c4956126443fb8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/busykoala/fastapi-opa"
},
{
"type": "WEB",
"url": "https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpaMiddleware does not filter HTTP OPTIONS requests"
}
GHSA-5R2M-QJQR-RJXF
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
{
"affected": [],
"aliases": [
"CVE-2025-13460"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:17:54Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.",
"id": "GHSA-5r2m-qjqr-rjxf",
"modified": "2026-03-16T15:30:41Z",
"published": "2026-03-16T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13460"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7263486"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62M9-V7G3-W362
Vulnerability from github – Published: 2025-02-11 03:30 – Updated: 2025-02-11 03:30SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.
{
"affected": [],
"aliases": [
"CVE-2025-23193"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T01:15:10Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.",
"id": "GHSA-62m9-v7g3-w362",
"modified": "2025-02-11T03:30:55Z",
"published": "2025-02-11T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23193"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3561264"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-63PC-J336-8QQ4
Vulnerability from github – Published: 2026-05-06 18:30 – Updated: 2026-05-06 18:30A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device.
This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.
{
"affected": [],
"aliases": [
"CVE-2026-20195"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T17:16:21Z",
"severity": "MODERATE"
},
"details": "A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device.\n\nThis vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.",
"id": "GHSA-63pc-j336-8qq4",
"modified": "2026-05-06T18:30:31Z",
"published": "2026-05-06T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20195"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-bypass-uxjRXGpb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-654X-9Q7R-G966
Vulnerability from github – Published: 2026-02-02 21:52 – Updated: 2026-02-11 14:14Summary
The authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process.
Vulnerability Details
- The password reset flow returns different responses based on whether the provided email address exists in the database or not.
- If the email is registered, the system typically returns a success message (e.g., "Password reset link has been sent").
If the email is not registered, the system returns an error message (e.g., "User not found" or a different HTTP status code).
This discrepancy allows attackers to programmatically "enumerate" or confirm valid user emails, which can then be used for targeted phishing attacks or brute-force attempts.
Steps to Reproduce
- Navigate to the password reset page of the CI4MS installation.
- Enter an email address that you know is not registered (e.g., nonexistent@example.com) and submit. Note the response message/code.
- Enter an email address that is registered (e.g., an admin or test account) and submit. Note the different response.
- The difference between these two responses confirms the enumeration vulnerability.
Suggested Mitigation
Implement a uniform, generic response for all password reset requests, regardless of whether the email exists. Recommended message: "If an account is associated with this email address, a password reset link has been sent."
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25509"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T21:52:06Z",
"nvd_published_at": "2026-02-03T22:16:31Z",
"severity": "MODERATE"
},
"details": "**Summary**\n\nThe authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application\u0027s response during the password reset process.\n\n**Vulnerability Details**\n\n- The password reset flow returns different responses based on whether the provided email address exists in the database or not.\n- If the email is registered, the system typically returns a success message (e.g., \"Password reset link has been sent\").\n\nIf the email is not registered, the system returns an error message (e.g., \"User not found\" or a different HTTP status code).\n\nThis discrepancy allows attackers to programmatically \"enumerate\" or confirm valid user emails, which can then be used for targeted phishing attacks or brute-force attempts.\n\n**Steps to Reproduce**\n\n1. Navigate to the password reset page of the CI4MS installation.\n2. Enter an email address that you know is not registered (e.g., nonexistent@example.com) and submit. Note the response message/code.\n3. Enter an email address that is registered (e.g., an admin or test account) and submit. Note the different response.\n4. The difference between these two responses confirms the enumeration vulnerability.\n\n**Suggested Mitigation**\n\nImplement a uniform, generic response for all password reset requests, regardless of whether the email exists. Recommended message: \"If an account is associated with this email address, a password reset link has been sent.\"",
"id": "GHSA-654x-9q7r-g966",
"modified": "2026-02-11T14:14:07Z",
"published": "2026-02-02T21:52:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25509"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CI4MS Vulnerable to User Email Enumeration via Password Reset Flow"
}
GHSA-65HG-2RXP-4W4R
Vulnerability from github – Published: 2022-12-22 12:30 – Updated: 2022-12-29 18:30A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-41697"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T10:15:00Z",
"severity": "MODERATE"
},
"details": "A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.",
"id": "GHSA-65hg-2rxp-4w4r",
"modified": "2022-12-29T18:30:23Z",
"published": "2022-12-22T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41697"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1625"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C55-4C23-GP8X
Vulnerability from github – Published: 2025-10-23 21:31 – Updated: 2025-10-23 21:31The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.
{
"affected": [],
"aliases": [
"CVE-2025-62236"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T20:15:40Z",
"severity": "MODERATE"
},
"details": "The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.",
"id": "GHSA-6c55-4c23-gp8x",
"modified": "2025-10-23T21:31:44Z",
"published": "2025-10-23T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62236"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-296-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6CG9-7RR8-CVJ2
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-15 18:31Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.
_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden csrf_token input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.
An attacker able to query it can recover the token and pass csrf_protect validation.
{
"affected": [],
"aliases": [
"CVE-2026-15747"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:12Z",
"severity": "CRITICAL"
},
"details": "Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.\n\n_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.\n\nAn attacker able to query it can recover the token and pass csrf_protect validation.",
"id": "GHSA-6cg9-7rr8-cvj2",
"modified": "2026-07-15T18:31:46Z",
"published": "2026-07-14T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15747"
},
{
"type": "WEB",
"url": "https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/SRI/Mojolicious-9.48/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/14/16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.