141 matches found
Jenkins allows attackers to determine whether a user exists
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts...
GHSA-9VG9-X38G-9HFX Jenkins allows attackers to determine whether a user exists
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts...
CyberArk Identity Security Feature Issue Vulnerability
CyberArk Identity, a CyberArk company, provides the most complete identity security platform to secure all identities from end-to-end.CyberArk Identity is vulnerable to a security signature issue that stems from the fact that the StartAuthentication resource exposes the response header X-CFY-TX-T...
CVE-2022-22700
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant...
CVE-2022-22700
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant...
CVE-2022-22700
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant...
CyberArk Identity 安全特征问题漏洞
CyberArk Identity, a CyberArk company, provides the most complete identity security platform to secure all identities from end-to-end.CyberArk Identity is vulnerable to a security signature issue that stems from the fact that the StartAuthentication resource exposes the response header X-CFY-TX-T...
Design/Logic Flaw
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists...
CVE-2021-20147
Affected product: ManageEngine ADSelfService Plus (below build 6116). Vulnerability: observable response discrepancy in the UMCP operation of the ChangePasswordAPI that can be exploited by an unauthenticated remote attacker to determine whether a Windows domain user exists. Root cause / vulnerabi...
CVE-2016-20012
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE...
CVE-2021-30156
In mediawiki package, the "Special:Contributions" functionality can leak information that a "hidden" user exists...
CVE-2021-30156
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists...
Updated mediawiki packages fix security vulnerability
Multiple security issues were discovered in MediaWiki: SpecialUserRights could leak whether a user existed or not, multiple code paths lacked HTML sanitisation allowing for cross-site scripting and TOTP validation applied insufficient rate limiting against brute force attempts CVE-2020-25812,...
CVE-2020-13998
Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintaine...
CVE-2020-13998
Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintaine...
CVE-2020-13998
Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintaine...
PT-2020-13827 · Citrix · Citrix Xenapp
Name of the Vulnerable Software and Affected Versions: Citrix XenApp version 6.5 Description: The issue allows a remote unauthenticated attacker to determine whether a user exists on the server when two-factor authentication 2FA is enabled. This is because the 2FA error page is only displayed aft...
MSOLSpray - A Password Spraying Tool For Microsoft Online Accounts (Azure/O365)
A password spraying tool for Microsoft Online accounts Azure/O365. The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS! Why...
SUSE-SU-2018:3776-2 Security update for openssh
This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not...
CVE-2019-7550
In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whether a user exists by using the "create user" function. If a register/check/username?username= request corresponds to a username that exists, then an "is already in use" error is produced. NOTE: this product is discontinued...