VYPR

CWE-203

Observable Discrepancy

BaseIncomplete

Description

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-189

CVEs mapped to this weakness (224)

page 3 of 12
  • CVE-2018-3620MedAug 14, 2018
    risk 0.37cvss 5.6epss 0.06

    Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

  • CVE-2018-3640MedMay 22, 2018
    risk 0.37cvss 5.6epss 0.08

    Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE),…

  • CVE-2024-54476MedDec 12, 2024
    risk 0.36cvss 5.5epss 0.00

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to access user-sensitive data.

  • CVE-2016-2178MedJun 20, 2016
    risk 0.36cvss 5.5epss 0.01

    The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

  • CVE-2024-11297MedDec 20, 2024
    risk 0.35cvss 5.3epss 0.01

    The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract…

  • CVE-2024-48644MedOct 22, 2024
    risk 0.35cvss 5.3epss 0.01

    Accounts enumeration vulnerability in the Login Component of Reolink Duo 2 WiFi Camera (Firmware Version v3.0.0.1889_23031701) allows remote attackers to determine valid user accounts via login attempts. This can lead to the enumeration of user accounts and potentially…

  • CVE-2018-10949MedMay 10, 2018
    risk 0.35cvss 5.3epss 0.02

    mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

  • CVE-2018-0134MedFeb 8, 2018
    risk 0.35cvss 5.3epss 0.01

    A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different…

  • CVE-2017-5107MedOct 27, 2017
    risk 0.35cvss 5.3epss 0.02

    A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe'd via a crafted HTML page.

  • CVE-2017-7006MedJul 20, 2017
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct a timing side-channel attack to bypass the Same…

  • CVE-2017-8055MedApr 22, 2017
    risk 0.35cvss 5.3epss 0.02

    WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could…

  • CVE-2016-9129MedMar 28, 2017
    risk 0.35cvss 5.3epss 0.01

    Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery…

  • CVE-2025-54477MedSep 30, 2025
    risk 0.34cvss 5.3epss 0.00

    Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.

  • CVE-2025-24391MedJul 14, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS…

  • CVE-2024-47057MedMay 28, 2025
    risk 0.34cvss 5.3epss 0.00

    SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration…

  • CVE-2021-47664MedApr 24, 2025
    risk 0.34cvss 5.3epss 0.00

    Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.

  • CVE-2023-37482MedFeb 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.

  • CVE-2025-24506MedJan 30, 2025
    risk 0.34cvss epss 0.00

    A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types.

  • CVE-2024-54454MedDec 27, 2024
    risk 0.34cvss 5.3epss 0.00

    An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a…

  • CVE-2024-23984MedSep 16, 2024
    risk 0.34cvss 5.3epss 0.00

    Observable discrepancy in RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.