MiracleLinux 7 : openssh-7.4p1-21.el7 (AXSA:2019-4118:02)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-4118:02 advisory. openssh: User enumeration via malformed packets in authentication requests CVE-2018-15473 Tenable has extracted the preceding description block directly from...

EUVD-2021-21230

Malware in sbrugna...

EUVD-2014-0057

Malware in sbrugna...

EUVD-2021-9403

Malicious code in bioql PyPI...

CVE-2025-53640 Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such ...

CVE-2025-24391

OTRS exposes an user-enumeration flaw via its External Interface affecting OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X. Attackers can infer valid email addresses from differing HTTP response codes/messages, per multiple sources (e.g., Red Hat, SUSE, PT-2025-29438). CVSS 3.1 impact: LOW confiden...

CVE-2024-28868

Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external...

CVE-2024-39211

Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a useremail field only if the user account exists...

CVE-2012-4390

1 apps/calendar/appinfo/remote.php and 2 apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors...

Zabbix 5.x < 5.0.46rc1 / 6.x < 6.0.38rc1 / 7.0.x < 7.0.9rc1 / 7.2.x < 7.2.3rc1 User Enumeration (ZBX-26255)

The version of Zabbix installed on the remote host affected by a user enumeration vulnerability. Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one. Note that Nessus has not tested for this issue but has instead relied only on the...

CVE-2025-31124 Zitadel allows User Enumeration by loginname attribute normalization

Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report...

CVE-2025-24011 Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and...

CVE-2024-36510

CVE-2024-36510 affects Fortinet FortiClientEMS and FortiSOAR. The issue is an observable response discrepancy (CWE-204) that could allow an unauthenticated attacker to enumerate valid users by observing login request responses. Affected: FortiClientEMS versions 7.0 all versions and 7.2.0–7.2.4, 7...

CVE-2024-52043

Generation of Error Message Containing Sensitive Information in HumHub GmbH & Co. KG - HumHub on Linux allows: Excavation user enumeration.This issue affects all released HumHub versions: through 1.16.2...

CVE-2018-20170

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an...

OpenSSH user enumeration vulnerability

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. CVE: CVE-2018-15473 Last updated: Aug...