141 matches found
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack due to differences in response times for existing and non-existing users in the password reset functionality. An attacker can determine the existence of usernames by observing the time it takes for the server to respond...
CVE-2024-24720
An issue was discovered in the Forgot password function in Innovaphone PBX before 14r1 devices. It provides information about whether a user exists on a system...
CVE-2024-8651
A vulnerability in NetCat CMS allows an attacker to send a specially crafted http request that can be used to check whether a user exists in the system, which could be a basis for further attacks. This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others. Apply patch from vendor...
CVE-2023-31286
An issue was discovered in Serenity Serene and StartSharp before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist...
CVE-2023-5254
The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcldwbchatbotcheckuser function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site ...
CVE-2022-22700
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant...
Observable Response Discrepancy
Overview Affected versions of this package are vulnerable to Observable Response Discrepancy due to the timing analysis of post-login API responses. An attacker can determine if a specific user account exists by observing the response times. Remediation Upgrade Umbraco.Cms.Web.BackOffice to versi...
CVE-2025-30344
OpenSlides before 4.2.5 is affected by a timing-side channel vulnerability in /system/auth/login/. The response time differs depending on whether a user exists because password hashing is omitted in login handling, enabling potential information disclosure. The documented impact is a low-to-mediu...
CVE-2025-23193
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server...
PT-2025-6126 · Sap · Sap Netweaver Abap Server
Name of the Vulnerable Software and Affected Versions: SAP NetWeaver Server ABAP versions prior to the fixed version Description: The issue allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user,...
Timing Attack
Overview django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party social account authentication. Affected versions of this package are vulnerable to Timing Attack in the AuthenticationBackend.authenticatebyemail...
CVE-2024-49358
ZimaOS (fork of CasaOS) prior to and including 1.2.4 is affected by CVE-2024-49358 due to an API behavior at /v1/users/login that reveals whether a username exists, enabling username enumeration. This is a network-facing issue with CVSS 5.3 (MEDIUM); no patched versions are publicly available per...
CVE-2024-8651
A vulnerability in NetCat CMS allows an attacker to send a specially crafted http request that can be used to check whether a user exists in the system, which could be a basis for further attacks. This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others. Apply patch from vendor...
CVE-2024-8651
A vulnerability in NetCat CMS allows an attacker to send a specially crafted http request that can be used to check whether a user exists in the system, which could be a basis for further attacks. This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others. Apply patch from vendor...
CVE-2024-8651
CVE-2024-8651 — NetCat CMS: user enumeration involves a vulnerability where an attacker can send a specially crafted HTTP request to check whether a user exists in the system. Affected are NetCat CMS versions around 6.4.0.24126.2 up to 6.4.0.24247, with a patch available starting from 6.4.0.24248...
PT-2024-39150 · Unknown · Netcat Cms
Name of the Vulnerable Software and Affected Versions: NetCat CMS versions 6.4.0.24126.2 through 6.4.0.24247 Description: A vulnerability in NetCat CMS allows an attacker to send a specially crafted HTTP request to check whether a user exists in the system. This issue could be a basis for further...
CVE-2024-36996
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt t...
CVE-2024-36996
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt t...
CVE-2024-36996
CVE-2024-36996 affects Splunk Enterprise and Splunk Cloud Platform where SAML is enabled. Affected: Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10; Splunk Cloud Platform below 9.1.2312.109. An attacker could learn whether another user exists by deciphering the login error response, ena...
PT-2024-20486 · Cdex · Cdex
Name of the Vulnerable Software and Affected Versions: CDeX application versions through 5.7.1 Description: This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users...