CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-VGX9-M8H2-6VMQ
Vulnerability from github – Published: 2023-07-30 12:30 – Updated: 2024-04-04 06:25Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy
{
"affected": [],
"aliases": [
"CVE-2023-37217"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-30T11:15:09Z",
"severity": "MODERATE"
},
"details": " Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy",
"id": "GHSA-vgx9-m8h2-6vmq",
"modified": "2024-04-04T06:25:59Z",
"published": "2023-07-30T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37217"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VHWX-7FP7-5Q6G
Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.
{
"affected": [],
"aliases": [
"CVE-2025-5485"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T20:15:22Z",
"severity": "HIGH"
},
"details": "User names used to access the web management interface are limited to \nthe device identifier, which is a numerical identifier no more than 10 \ndigits. A malicious actor can enumerate potential targets by \nincrementing or decrementing from known identifiers or through \nenumerating random digit sequences.",
"id": "GHSA-vhwx-7fp7-5q6g",
"modified": "2025-06-12T21:30:31Z",
"published": "2025-06-12T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5485"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01"
},
{
"type": "WEB",
"url": "https://www.sinotrackgps.com/help-center"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VPFX-PXQW-2W79
Vulnerability from github – Published: 2026-05-18 13:30 – Updated: 2026-06-09 10:28CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in:
objects/mention.json.php:17 $ignoreAdmin = true;
objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin,
['name', 'email', 'user', 'channelName'], 'a');
No User::loginCheck(), no admin gate. Only entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "WWBN/AVideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45620"
],
"database_specific": {
"cwe_ids": [
"CWE-204",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T13:30:05Z",
"nvd_published_at": "2026-05-29T14:16:31Z",
"severity": "MODERATE"
},
"details": "CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in:\n\n```\nobjects/mention.json.php:17 $ignoreAdmin = true;\nobjects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin,\n [\u0027name\u0027, \u0027email\u0027, \u0027user\u0027, \u0027channelName\u0027], \u0027a\u0027);\n```\n\nNo `User::loginCheck()`, no admin gate. Only entry guard: `preg_match(\u0027/^@/\u0027, $_REQUEST[\u0027term\u0027])` and hard-coded `rowCount=10`.",
"id": "GHSA-vpfx-pxqw-2w79",
"modified": "2026-06-09T10:28:13Z",
"published": "2026-05-18T13:30:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45620"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6rvw-7p8v-mjfq"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`"
}
GHSA-VR5F-PHP7-RG24
Vulnerability from github – Published: 2025-02-07 20:27 – Updated: 2025-02-11 17:22pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/admin-ui-classic-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24980"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-07T20:27:43Z",
"nvd_published_at": "2025-02-07T20:15:33Z",
"severity": "MODERATE"
},
"details": "pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via \"Forgot password\" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
"id": "GHSA-vr5f-php7-rg24",
"modified": "2025-02-11T17:22:14Z",
"published": "2025-02-07T20:27:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24980"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/pull/808"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/admin-ui-classic-bundle"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pimcore Admin Classic Bundle allows user enumeration"
}
GHSA-VW87-WRX2-XWXQ
Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-02-20 15:31IBM Common Licensing 9.0 could allow a local user to enumerate usernames due to an observable response discrepancy. IBM X-Force ID: 273337.
{
"affected": [],
"aliases": [
"CVE-2023-50306"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T14:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Common Licensing 9.0 could allow a local user to enumerate usernames due to an observable response discrepancy. IBM X-Force ID: 273337.",
"id": "GHSA-vw87-wrx2-xwxq",
"modified": "2024-02-20T15:31:04Z",
"published": "2024-02-20T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50306"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/273337"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7120660"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2R4-CM6P-7H86
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
{
"affected": [],
"aliases": [
"CVE-2025-3092"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T09:15:25Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.",
"id": "GHSA-w2r4-cm6p-7h86",
"modified": "2025-06-26T21:31:05Z",
"published": "2025-06-26T21:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3092"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-035"
},
{
"type": "WEB",
"url": "https://certvde.com/en/advisories/VDE-2025-038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W4W5-G7XP-7Q82
Vulnerability from github – Published: 2024-09-08 12:32 – Updated: 2024-09-08 12:32Loway - CWE-204: Observable Response Discrepancy
{
"affected": [],
"aliases": [
"CVE-2024-42343"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-08T12:15:10Z",
"severity": "MODERATE"
},
"details": "Loway - CWE-204: Observable Response Discrepancy",
"id": "GHSA-w4w5-g7xp-7q82",
"modified": "2024-09-08T12:32:45Z",
"published": "2024-09-08T12:32:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42343"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W54V-HF9P-8856
Vulnerability from github – Published: 2026-03-11 00:36 – Updated: 2026-03-11 21:37Impact
The email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application.
This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true).
Patches
The fix introduces a new Parse Server option emailVerifySuccessOnInvalidEmail (default: true) that returns a generic success response for all verification email requests, regardless of whether the email address is valid, already verified, or non-existent. This prevents an attacker from distinguishing between these cases.
The fix also strengthens the input validation for the related resetPasswordSuccessOnInvalidEmail option, and adds security checks that warn when either enumeration mitigation is disabled.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.34
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-alpha.1"
},
{
"fixed": "9.6.0-alpha.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31901"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:36:13Z",
"nvd_published_at": "2026-03-11T20:16:16Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe email verification endpoint (`/verificationEmailRequest`) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application.\n\nThis is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (`verifyUserEmails: true`).\n\n### Patches\n\nThe fix introduces a new Parse Server option `emailVerifySuccessOnInvalidEmail` (default: `true`) that returns a generic success response for all verification email requests, regardless of whether the email address is valid, already verified, or non-existent. This prevents an attacker from distinguishing between these cases.\n\nThe fix also strengthens the input validation for the related `resetPasswordSuccessOnInvalidEmail` option, and adds security checks that warn when either enumeration mitigation is disabled.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.34",
"id": "GHSA-w54v-hf9p-8856",
"modified": "2026-03-11T21:37:44Z",
"published": "2026-03-11T00:36:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server vulnerable to user enumeration via email verification endpoint"
}
GHSA-WFJW-W6PV-8P7F
Vulnerability from github – Published: 2022-02-01 00:47 – Updated: 2025-03-07 19:09Impact
User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.
Patches
Upgrade to 3.4.4
Workarounds
References
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Flask-AppBuilder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21659"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-31T20:19:12Z",
"nvd_published_at": "2022-01-31T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nUser enumeration in database authentication in Flask-AppBuilder \u003c 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.\n\n### Patches\nUpgrade to 3.4.4\n\n### Workarounds\n\n### References\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
"id": "GHSA-wfjw-w6pv-8p7f",
"modified": "2025-03-07T19:09:24Z",
"published": "2022-02-01T00:47:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21659"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1775"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe"
},
{
"type": "PACKAGE",
"url": "https://github.com/dpgaspar/Flask-AppBuilder"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Observable Response Discrepancy in Flask-AppBuilder"
}
GHSA-WMHC-QW7C-4774
Vulnerability from github – Published: 2023-12-19 00:30 – Updated: 2023-12-19 00:30An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable.
This issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.
{
"affected": [],
"aliases": [
"CVE-2023-23584"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-18T22:15:08Z",
"severity": "MODERATE"
},
"details": "\nAn observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. \n\nThis issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.\n\n",
"id": "GHSA-wmhc-qw7c-4774",
"modified": "2023-12-19T00:30:17Z",
"published": "2023-12-19T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23584"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23584"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.