userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php

Vulnerability

The vulnerability exists in userSpice 4.3.24 (and possibly earlier versions) in the file /users/parsers/existingUsernameCheck.php. This endpoint accepts POST requests with a username parameter and returns a response containing the string 'taken' if the username exists, or a different response otherwise. No authentication is required to access this endpoint. The issue is classified as CWE-204 (Observable Response Discrepancy) [1]. Affected versions: userSpice <= 4.3.24.

Exploitation

An unauthenticated attacker sends a POST request to existingUsernameCheck.php with a username parameter. The attacker then inspects the response body for the substring 'taken'. If present, the username is valid. The exploit script provided in [2] demonstrates this process: it reads a list of usernames from a file, sends a request for each, and prints [FOUND] when the response contains 'taken'. No special network position or user interaction is required.

Impact

An attacker can enumerate valid usernames on the system. This information can be leveraged for further attacks such as brute-force password guessing, credential stuffing, or targeted phishing. The CVSS v4 score is 9.3 (Critical) per [1], indicating high impact on confidentiality, integrity, and availability due to the potential for account compromise.

Mitigation

As of the available references, no official patch has been released for userSpice 4.3.24. Users should upgrade to a newer version if available, or implement server-side input validation and consistent error messages to eliminate response discrepancies. The vendor website is www.userspice.com. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.