Common Weakness Enumeration

CWE-204

Allowed

Observable Response Discrepancy

Abstraction: Base · Status: Incomplete

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

297 vulnerabilities reference this CWE, most recent first.

GHSA-36GF-GHCV-F3QQ

Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30
VLAI
Details

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Mendix Runtime V10 (All versions \u003c V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions \u003c V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions \u003c V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions \u003c V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.",
  "id": "GHSA-36gf-ghcv-f3qq",
  "modified": "2024-09-10T12:30:37Z",
  "published": "2024-09-10T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49069"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-36GX-9Q6H-G429

Vulnerability from github – Published: 2023-02-28 23:18 – Updated: 2026-05-29 20:49
VLAI
Summary
vantage6 vulnerable to Observable Response Discrepancy
Details

Impact

We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

No

References

https://github.com/vantage6/vantage6/issues/59

For more information

If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-28T23:18:37Z",
    "nvd_published_at": "2023-03-01T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWe are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don\u0027t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.\n\n### Patches\nUpdate to 3.8.0+\n\n### Workarounds\nNo\n\n### References\nhttps://github.com/vantage6/vantage6/issues/59\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)",
  "id": "GHSA-36gx-9q6h-g429",
  "modified": "2026-05-29T20:49:19Z",
  "published": "2023-02-28T23:18:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/issues/59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/pull/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-313.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-52.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vantage6 vulnerable to Observable Response Discrepancy"
}

GHSA-3765-5F6W-7P86

Vulnerability from github – Published: 2026-06-05 15:32 – Updated: 2026-06-05 15:32
VLAI
Details

Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.

This issue affects Geographic Tracking System: before v0.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T15:16:53Z",
    "severity": "CRITICAL"
  },
  "details": "Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.\n\nThis issue affects Geographic Tracking System: before v0.0.2.",
  "id": "GHSA-3765-5f6w-7p86",
  "modified": "2026-06-05T15:32:26Z",
  "published": "2026-06-05T15:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6207"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-387M-J3P9-3PHP

Vulnerability from github – Published: 2026-03-02 19:42 – Updated: 2026-03-02 19:42
VLAI
Summary
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
Details

Summary

The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.

Details

POST /api/v2/auth/password/forgot returned a success message for registered emails but 'Your email has not been registered.' for unknown emails. The fix returns a uniform response regardless of whether the email exists.

Impact

An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.

Credit

This issue was reported by @Tulgaaaaaaaa.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.301.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T19:42:07Z",
    "nvd_published_at": "2026-03-02T17:16:33Z",
    "severity": "LOW"
  },
  "details": "### Summary\nThe password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.\n\n### Details\n`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `\u0027Your email has not been registered.\u0027` for unknown emails. The fix returns a uniform response regardless of whether the email exists.\n\n### Impact\nAn unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).",
  "id": "GHSA-387m-j3p9-3php",
  "modified": "2026-03-02T19:42:07Z",
  "published": "2026-03-02T19:42:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28358"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB Vulnerable to User Enumeration via Password Reset Endpoint"
}

GHSA-38MG-MW32-J4P4

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30
VLAI
Details

A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:17:45Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Gridscale X Prepay (All versions \u003c V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.",
  "id": "GHSA-38mg-mw32-j4p4",
  "modified": "2025-12-09T18:30:36Z",
  "published": "2025-12-09T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40806"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-356310.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-38WQ-6Q2W-HCF9

Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-27 21:49
VLAI
Summary
Rucio WebUI has Username Enumeration via Login Error Message
Details

Summary

The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.

Details

When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.

This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.

Proof of Concept

Bogus Login (Non-existent Username "15251087")
Response contains:

Cannot get find any account associated with 15251087 identity.

Bogus Login (Existing Username "root", Wrong Password)
Response contains:

Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.

The difference in error messages confirms whether a username exists.

Impact

An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.

Remediation / Mitigation

Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.

Reources:

  • OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:53:42Z",
    "nvd_published_at": "2026-02-25T20:23:47Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.\n\n### Details\nWhen submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.\n\nThis behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.\n\n### Proof of Concept\n**Bogus Login (Non-existent Username \"15251087\")**  \nResponse contains:\n```\nCannot get find any account associated with 15251087 identity.\n```\n\n**Bogus Login (Existing Username \"root\", Wrong Password)**  \nResponse contains:\n```\nCannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.\n```\n\nThe difference in error messages confirms whether a username exists.\n\n### Impact\nAn unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.\n\n### Remediation / Mitigation\nReturn a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.\n\n#### Reources:\n- OWASP Authentication Cheat Sheet -  Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages",
  "id": "GHSA-38wq-6q2w-hcf9",
  "modified": "2026-02-27T21:49:59Z",
  "published": "2026-02-25T18:53:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25138"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI has Username Enumeration via Login Error Message"
}

GHSA-3GGV-QWCP-J6XG

Vulnerability from github – Published: 2025-09-03 22:20 – Updated: 2025-09-03 22:20
VLAI
Summary
Mautic Vulnerable to User Enumeration via Response Timing
Details

Impact

The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.

Patches

This vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.

Technical Details

The vulnerability was caused by different response times when: - A valid username was provided (password hashing occurred) - An invalid username was provided (no password hashing occurred)

The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.

Workarounds

No workarounds are available. Users should upgrade to the patched version.

References

  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
  • https://github.com/mautic/mautic-security/pull/146
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha"
            },
            {
              "fixed": "5.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha"
            },
            {
              "fixed": "6.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-03T22:20:16Z",
    "nvd_published_at": "2025-09-03T15:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.\n\n### Patches\nThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.\n\n### Technical Details\nThe vulnerability was caused by different response times when:\n- A valid username was provided (password hashing occurred)\n- An invalid username was provided (no password hashing occurred)\n\nThe fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.\n\n### Workarounds\nNo workarounds are available. Users should upgrade to the patched version.\n\n### References\n- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account\n- https://github.com/mautic/mautic-security/pull/146",
  "id": "GHSA-3ggv-qwcp-j6xg",
  "modified": "2025-09-03T22:20:16Z",
  "published": "2025-09-03T22:20:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/commit/6bc4f5f1aabb13df12714ad0ea9fc281cbb867c6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/commit/b4264c717ce31fbafafcefc04b02ecb9fb911e62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mautic Vulnerable to User Enumeration via Response Timing"
}

GHSA-3HMX-7W48-9WCC

Vulnerability from github – Published: 2023-09-04 15:30 – Updated: 2024-04-04 07:26
VLAI
Details

User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-04T13:15:32Z",
    "severity": "MODERATE"
  },
  "details": "User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.",
  "id": "GHSA-3hmx-7w48-9wcc",
  "modified": "2024-04-04T07:26:14Z",
  "published": "2023-09-04T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3221"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-roundcube-password-recovery-plugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q4W-RF2J-FX5X

Vulnerability from github – Published: 2024-11-06 09:31 – Updated: 2024-11-06 09:31
VLAI
Details

Observable Response Discrepancy vulnerability in HumHub GmbH & Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-06T08:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Observable Response Discrepancy vulnerability in HumHub GmbH \u0026 Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.",
  "id": "GHSA-3q4w-rf2j-fx5x",
  "modified": "2024-11-06T09:31:22Z",
  "published": "2024-11-06T09:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/humhub/humhub/security"
    },
    {
      "type": "WEB",
      "url": "https://www.vulsec.org/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3QV6-5F5F-F89J

Vulnerability from github – Published: 2024-09-12 21:32 – Updated: 2024-09-12 21:32
VLAI
Details

User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-12T19:15:03Z",
    "severity": "MODERATE"
  },
  "details": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.",
  "id": "GHSA-3qv6-5f5f-f89j",
  "modified": "2024-09-12T21:32:02Z",
  "published": "2024-09-12T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34336"
    },
    {
      "type": "WEB",
      "url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336"
    },
    {
      "type": "WEB",
      "url": "http://foss-online.com"
    },
    {
      "type": "WEB",
      "url": "http://ordat.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

CAPEC-332: ICMP IP 'ID' Field Error Message Probe

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.