spa-cartcms Username login observable behavioral discrepancy
Description
A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268896.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- spa-cartcms/spa-cartcmsdescription
- Range: =1.9.0.6
Patches
Vulnerability mechanics
Root cause
"The application returns different error messages ("P" vs "E") for valid versus invalid email addresses on the login page, enabling username enumeration."
Attack vector
An attacker sends a POST request to /login with an email address and an incorrect password. If the email is valid (registered), the server responds with "P"; if the email is invalid (unregistered), the server responds with "E" [ref_id=1]. This observable behavioral discrepancy allows a remote attacker to enumerate valid usernames by iterating through email addresses and observing the response character. The attack requires no authentication and can be performed over the network, though the attacker must craft individual HTTP requests for each candidate email.
Affected code
The vulnerability exists in the /login endpoint of the spa-cartcms 1.9.0.6 application [ref_id=1]. The Username Handler processes the `email` POST parameter and returns distinct single-character responses ("P" for valid, "E" for invalid) without a patch or source file path being identified in the bundle.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close the vulnerability, the application should return identical generic error messages (e.g., "Invalid credentials") for both valid and invalid usernames, eliminating the behavioral discrepancy that enables enumeration.
Preconditions
- networkAttacker must be able to send HTTP POST requests to the /login endpoint.
- inputAttacker must supply an email address and a password (any value) in the POST body.
Reproduction
1. Send a POST request to /login with a valid registered email and an incorrect password (e.g., `email=test%40test.test&password=test123`). Observe the response body contains the single character "P". 2. Send a POST request to /login with an invalid/unregistered email and an incorrect password (e.g., `email=test%40test.t3st&password=test123`). Observe the response body contains the single character "E". 3. The differing response characters ("P" vs "E") reveal whether the email address is registered, enabling username enumeration [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.htmlmitreexploit
- seclists.org/fulldisclosure/2024/Jun/6mitremailing-list
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.