CVE-2024-0391 (GCVE-0-2024-0391)
Vulnerability from cvelistv5 – Published: 2026-05-11 08:45 – Updated: 2026-05-11 12:46
VLAI
Title
Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery
Summary
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.
The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Severity
5.3 (Medium)
CWE
- CWE-204 - Observable response discrepancy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.docs.wso2.com/en/latest/security… | vendor-advisory |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| WSO2 | WSO2 Identity Server |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.379 (custom) Affected: 5.11.0 , < 5.11.0.426 (custom) Affected: 5.11.0 , < 5.11.0.431 (custom) Affected: 6.0.0 , < 6.0.0.253 (custom) Affected: 6.1.0 , < 6.1.0.254 (custom) Affected: 7.0.0 , < 7.0.0.131 (custom) |
|
| WSO2 | WSO2 Open Banking IAM |
Unknown:
0 , < 2.0.0
(custom)
Affected: 2.0.0 , < 2.0.0.318 (custom) |
|
| WSO2 | WSO2 Identity Server as Key Manager |
Unknown:
0 , < 5.10.0
(custom)
Affected: 5.10.0 , < 5.10.0.267 (custom) |
|
| WSO2 | Email OTP Authenticator |
Affected:
1.0.18 , < 1.0.18.7
(custom)
Unaffected: 1.0.24 , ≤ * (custom) |
|
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP |
Affected:
4.1.0 , < 4.1.0.8
(custom)
Affected: 4.1.4 , < 4.1.4.9 (custom) Unaffected: 4.1.22 , ≤ * (custom) |
|
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP |
Affected:
3.0.5 , < 3.0.5.8
(custom)
Affected: 3.0.24 , < 3.0.24.6 (custom) Affected: 3.0.26 , < 3.0.26.16 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T12:45:51.278289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T12:46:03.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.379",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.426",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "5.11.0.431",
"status": "affected",
"version": "5.11.0",
"versionType": "custom"
},
{
"lessThan": "6.0.0.253",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.1.0.254",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.0.131",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Open Banking IAM",
"vendor": "WSO2",
"versions": [
{
"lessThan": "2.0.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.0.0.318",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WSO2 Identity Server as Key Manager",
"vendor": "WSO2",
"versions": [
{
"lessThan": "5.10.0",
"status": "unknown",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.10.0.267",
"status": "affected",
"version": "5.10.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.identity.local.auth.emailotp:org.wso2.carbon.identity.local.auth.emailotp",
"product": "Email OTP Authenticator",
"vendor": "WSO2",
"versions": [
{
"lessThan": "1.0.18.7",
"status": "affected",
"version": "1.0.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "1.0.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.identity.authenticator.emailotp",
"product": "WSO2 Carbon Authenticator Library For EmailOTP",
"vendor": "WSO2",
"versions": [
{
"lessThan": "4.1.0.8",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.1.4.9",
"status": "affected",
"version": "4.1.4",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "4.1.22",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.extension.identity.authenticator.emailotp.connector",
"product": "WSO2 Carbon Authenticator Library For EmailOTP",
"vendor": "WSO2",
"versions": [
{
"lessThan": "3.0.5.8",
"status": "affected",
"version": "3.0.5",
"versionType": "custom"
},
{
"lessThan": "3.0.24.6",
"status": "affected",
"version": "3.0.24",
"versionType": "custom"
},
{
"lessThan": "3.0.26.16",
"status": "affected",
"version": "3.0.26",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.379",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.426",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.0.431",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.0.253",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.254",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.131",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.0.0.318",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.0.267",
"versionStartIncluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.18.7",
"versionStartIncluding": "1.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "1.0.24",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.0.8",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.1.4.9",
"versionStartIncluding": "4.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndIncluding": "*",
"versionStartIncluding": "4.1.22",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.0.5.8",
"versionStartIncluding": "3.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.0.24.6",
"versionStartIncluding": "3.0.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.0.26.16",
"versionStartIncluding": "3.0.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences."
}
],
"value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences."
}
],
"impacts": [
{
"capecId": "CAPEC-249",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-249 CAPEC-249: Inferential Information Gathering"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable response discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T08:45:33.754Z",
"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"shortName": "WSO2"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution"
}
],
"source": {
"advisory": "WSO2-2024-3115",
"discovery": "INTERNAL"
},
"title": "Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
"assignerShortName": "WSO2",
"cveId": "CVE-2024-0391",
"datePublished": "2026-05-11T08:45:33.754Z",
"dateReserved": "2024-01-10T09:02:14.122Z",
"dateUpdated": "2026-05-11T12:46:03.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-0391",
"date": "2026-05-28",
"epss": "0.00036",
"percentile": "0.11213"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-0391\",\"sourceIdentifier\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"published\":\"2026-05-11T10:16:11.593\",\"lastModified\":\"2026-05-27T19:54:32.347\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\\n\\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-204\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.0\",\"versionEndExcluding\":\"5.10.0.379\",\"matchCriteriaId\":\"760849A7-CF72-4CF1-BEC6-8E47AC5ADE29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11.0\",\"versionEndExcluding\":\"5.11.0.426\",\"matchCriteriaId\":\"D4F45B46-613A-4DE3-B6BB-A30D635A860E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.0.253\",\"matchCriteriaId\":\"7AE280EA-5F20-4D83-A72A-07526AF65067\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"6.1.0.254\",\"matchCriteriaId\":\"A34A0057-4EE7-4D20-A343-09592A508849\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.0.131\",\"matchCriteriaId\":\"110F5D8D-32E8-4E7B-8925-D04781FC8B2D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.0\",\"versionEndExcluding\":\"5.10.267\",\"matchCriteriaId\":\"EAEE7A87-67DA-4266-B0D0-7E4FD5475B4F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wso2:open_banking_iam:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.0.318\",\"matchCriteriaId\":\"5D551292-3788-4775-B02A-1C8CA02AFECC\"}]}]}],\"references\":[{\"url\":\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/\",\"source\":\"ed10eef1-636d-4fbe-9993-6890dfa878f8\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-0391\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-11T12:45:51.278289Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-11T12:45:59.492Z\"}}], \"cna\": {\"title\": \"Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery\", \"source\": {\"advisory\": \"WSO2-2024-3115\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-249\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-249 CAPEC-249: Inferential Information Gathering\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.10.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.379\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.0\", \"lessThan\": \"5.11.0.426\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.11.0\", \"lessThan\": \"5.11.0.431\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.0.0.253\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"lessThan\": \"6.1.0.254\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.0.131\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Open Banking IAM\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.0.0.318\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Identity Server as Key Manager\", \"versions\": [{\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"5.10.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.10.0\", \"lessThan\": \"5.10.0.267\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WSO2\", \"product\": \"Email OTP Authenticator\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.18\", \"lessThan\": \"1.0.18.7\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.0.24\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.identity.local.auth.emailotp:org.wso2.carbon.identity.local.auth.emailotp\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Carbon Authenticator Library For EmailOTP\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1.0\", \"lessThan\": \"4.1.0.8\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"4.1.4\", \"lessThan\": \"4.1.4.9\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"4.1.22\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"packageName\": \"org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.identity.authenticator.emailotp\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"WSO2\", \"product\": \"WSO2 Carbon Authenticator Library For EmailOTP\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.5\", \"lessThan\": \"3.0.5.8\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.24\", \"lessThan\": \"3.0.24.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.26\", \"lessThan\": \"3.0.26.16\", \"versionType\": \"custom\"}], \"packageName\": \"org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.extension.identity.authenticator.emailotp.connector\", \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: transparent;\\\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\\\"\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\\n\\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\\n\\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-204\", \"description\": \"CWE-204 Observable response discrepancy\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.0.379\", \"versionStartIncluding\": \"5.10.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.0.426\", \"versionStartIncluding\": \"5.11.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.0.431\", \"versionStartIncluding\": \"5.11.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0.0.253\", \"versionStartIncluding\": \"6.0.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.0.254\", \"versionStartIncluding\": \"6.1.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.0.0.131\", \"versionStartIncluding\": \"7.0.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.0.0.318\", \"versionStartIncluding\": \"2.0.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.0.267\", \"versionStartIncluding\": \"5.10.0\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.0.18.7\", \"versionStartIncluding\": \"1.0.18\"}, {\"criteria\": \"cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*\", \"vulnerable\": false, \"versionEndIncluding\": \"*\", \"versionStartIncluding\": \"1.0.24\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.1.0.8\", \"versionStartIncluding\": \"4.1.0\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.1.4.9\", \"versionStartIncluding\": \"4.1.4\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": false, \"versionEndIncluding\": \"*\", \"versionStartIncluding\": \"4.1.22\"}], \"operator\": \"OR\"}, {\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.0.5.8\", \"versionStartIncluding\": \"3.0.5\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.0.24.6\", \"versionStartIncluding\": \"3.0.24\"}, {\"criteria\": \"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"3.0.26.16\", \"versionStartIncluding\": \"3.0.26\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"shortName\": \"WSO2\", \"dateUpdated\": \"2026-05-11T08:45:33.754Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-0391\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T12:46:03.691Z\", \"dateReserved\": \"2024-01-10T09:02:14.122Z\", \"assignerOrgId\": \"ed10eef1-636d-4fbe-9993-6890dfa878f8\", \"datePublished\": \"2026-05-11T08:45:33.754Z\", \"assignerShortName\": \"WSO2\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…