VYPR

CWE-203

Observable Discrepancy

BaseIncomplete

Description

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-189

CVEs mapped to this weakness (224)

page 1 of 12
  • CVE-2019-25337CriFeb 12, 2026
    risk 0.64cvss 9.8epss 0.00

    OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve…

  • CVE-2017-13099HigDec 13, 2017
    risk 0.54cvss 7.5epss 0.25

    wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."

  • CVE-2023-5410HigMar 12, 2024
    risk 0.53cvss 8.2epss 0.00

    A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. HP is releasing mitigation for the potential vulnerability.

  • CVE-2017-6168HigNov 17, 2017
    risk 0.53cvss 7.4epss 0.22

    On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack)…

  • CVE-2026-41588CriMay 8, 2026
    risk 0.52cvss 9.0epss 0.00

    RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.

  • CVE-2022-50800HigDec 30, 2025
    risk 0.49cvss 7.5epss 0.00

    H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between…

  • CVE-2025-11145HigOct 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account…

  • CVE-2025-41252HigSep 29, 2025
    risk 0.49cvss 7.5epss 0.01

    Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration → facilitates unauthorized access. …

  • CVE-2025-1468HigMar 18, 2025
    risk 0.49cvss 7.5epss 0.01

    An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.

  • CVE-2024-41335HigFeb 27, 2025
    risk 0.49cvss 7.5epss 0.00

    Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor…

  • CVE-2024-54767HigJan 6, 2025
    risk 0.49cvss 7.5epss 0.02

    An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Supplier because it cannot be reproduced, and the issue report focuses on an…

  • CVE-2024-40490HigNov 1, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function.

  • CVE-2023-50781HigFeb 5, 2024
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

  • CVE-2022-3907HigDec 5, 2022
    risk 0.49cvss 7.5epss 0.01

    The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

  • CVE-2016-6489HigApr 14, 2017
    risk 0.49cvss 7.5epss 0.05

    The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.

  • CVE-2018-3615HigAug 14, 2018
    risk 0.48cvss 7.3epss 0.06

    Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

  • CVE-2023-30312HigMay 28, 2024
    risk 0.47cvss 7.3epss 0.00

    An issue discovered in OpenWrt 18.06, 19.07, 21.02, 22.03, and beyond allows off-path attackers to hijack TCP sessions, which could lead to a denial of service, impersonating the client to the server (e.g., for access to files over FTP), and impersonating the server to the…

  • CVE-2017-5753MedJan 4, 2018
    risk 0.47cvss 5.6epss 0.94

    Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

  • CVE-2017-13098HigDec 13, 2017
    risk 0.47cvss 7.5epss 0.24

    BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a…

  • CVE-2025-39702HigSep 5, 2025
    risk 0.46cvss 7.0epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.