Total
63 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38322 | 1 Ibm | 1 Storage Defender Resiliency Service | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 agent username and password error response discrepancy exposes product to brute force enumeration. IBM X-Force ID: 294869. | |||||
| CVE-2024-36996 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 5.3 MEDIUM |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. | |||||
| CVE-2024-31870 | 1 Ibm | 1 I | 2024-11-21 | N/A | 3.3 LOW |
| IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related *USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in further attacks. IBM X-Force ID: 287174. | |||||
| CVE-2024-28232 | 2024-11-21 | N/A | 6.2 MEDIUM | ||
| Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager. | |||||
| CVE-2024-24766 | 2024-11-21 | N/A | 6.2 MEDIUM | ||
| CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue. | |||||
| CVE-2024-1145 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| User enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response. | |||||
| CVE-2023-4095 | 1 Fujitsu | 1 Arconte Aurea | 2024-11-21 | N/A | 5.3 MEDIUM |
| User enumeration vulnerability in Arconte Áurea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform. | |||||
| CVE-2023-41885 | 1 Piccolo-orm | 1 Piccolo | 2024-11-21 | N/A | 5.3 MEDIUM |
| Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on its own does not also enforce strong passwords, these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform. The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requires minimal skills to pull off, especially given the underlying login functionality for Piccolo based sites is open source. This issue has been patched in version 0.121.0. | |||||
| CVE-2023-40179 | 1 Silverwaregames | 1 Silverwaregames | 2024-11-21 | N/A | 5.3 MEDIUM |
| Silverware Games is a premium social network where people can play games online. Prior to version 1.3.6, the Password Recovery form would throw an error if the specified email was not found in our database. It would only display the "Enter the code" form if the email is associated with a member of the site. Since version 1.3.6, the "Enter the code" form is always returned, showing the message "If the entered email is associated with an account, a code will be sent now". This change prevents potential violators from determining if our site has a user with the specified email. | |||||
| CVE-2023-3221 | 1 Password Recovery Project | 1 Password Recovery | 2024-11-21 | N/A | 5.3 MEDIUM |
| User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database. | |||||
| CVE-2023-39343 | 1 Sulu | 1 Sulu | 2024-11-21 | N/A | 4.3 MEDIUM |
| Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. | |||||
| CVE-2023-37831 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue discovered in Elenos ETG150 FM transmitter v3.12 allows attackers to enumerate user accounts based on server responses when credentials are submitted. | |||||
| CVE-2023-33859 | 1 Ibm | 1 Security Qradar Edr | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM Security QRadar EDR 3.12 could disclose sensitive information due to an observable login response discrepancy. IBM X-Force ID: 257697. | |||||
| CVE-2023-32346 | 1 Teltonika | 1 Remote Management System | 2024-11-21 | N/A | 5.3 MEDIUM |
| Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. | |||||
| CVE-2022-41697 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2022-31248 | 1 Suse | 1 Manager Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1. | |||||
| CVE-2022-22520 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. | |||||
| CVE-2022-20633 | 2024-11-18 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device. This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2024-47129 | 1 Gotenna | 1 Gotenna Pro | 2024-10-17 | N/A | 4.3 MEDIUM |
| The goTenna Pro App does not inject extra characters into broadcasted frames to obfuscate the length of messages. This makes it possible to tell the length of the payload regardless of the encryption used. | |||||
| CVE-2024-41715 | 1 Gotenna | 1 Atak Plugin | 2024-10-17 | N/A | 4.3 MEDIUM |
| The goTenna Pro ATAK Plugin does not inject extra characters into broadcasted frames to obfuscate the length of messages. This makes it possible to tell the length of the payload regardless of the encryption used. | |||||