VYPR

CWE-204

Observable Response Discrepancy

BaseIncomplete

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-331 · CAPEC-332 · CAPEC-541 · CAPEC-580

CVEs mapped to this weakness (79)

page 1 of 4
  • CVE-2018-25350CriMay 23, 2026
    risk 0.64cvss 9.8epss 0.00

    userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to…

  • CVE-2025-5485HigJun 12, 2025
    risk 0.56cvss 8.6epss 0.00

    User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through …

  • CVE-2025-12455HigMar 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing.   The vulnerability could lead to Password Brute Forcing in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X,…

  • CVE-2025-46390HigAug 6, 2025
    risk 0.49cvss 7.5epss 0.00

    CWE-204: Observable Response Discrepancy

  • CVE-2025-3092HigJun 24, 2025
    risk 0.49cvss 7.5epss 0.00

    An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.

  • CVE-2026-4113HigApr 9, 2026
    risk 0.47cvss 7.2epss 0.00

    An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.

  • CVE-2021-47717MedDec 9, 2025
    risk 0.45cvss epss 0.00

    IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information.

  • CVE-2025-34155MedOct 23, 2025
    risk 0.45cvss epss 0.01

    Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based on whether a supplied username exists or not, allowing an unauthenticated remote attacker to infer valid account…

  • CVE-2025-2910MedMar 28, 2025
    risk 0.45cvss epss 0.00

    User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.

  • CVE-2026-34264MedApr 14, 2026
    risk 0.42cvss 6.5epss 0.00

    During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of…

  • CVE-2026-33419HigMar 24, 2026
    risk 0.42cvss 7.5epss 0.00

    MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error…

  • CVE-2026-43926MedJun 4, 2026
    risk 0.41cvss epss 0.00

    FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only…

  • CVE-2025-23214MedJan 20, 2025
    risk 0.38cvss epss 0.01

    Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. By monitoring the error code returned in the login, it is possible to figure out whether a user exist or not in the database. Patched in…

  • CVE-2024-39211MedJul 4, 2024
    risk 0.35cvss 5.3epss 0.01

    Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists.

  • CVE-2016-9499MedJul 13, 2018
    risk 0.35cvss 5.3epss 0.08

    Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

  • CVE-2026-45620MedMay 29, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.

  • CVE-2024-0391MedMay 11, 2026
    risk 0.34cvss 5.3epss 0.00

    The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks.…

  • CVE-2026-20195MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called.…

  • CVE-2025-62181MedDec 10, 2025
    risk 0.34cvss 5.3epss 0.00

    Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only…

  • CVE-2025-25236MedNov 12, 2025
    risk 0.34cvss 5.3epss 0.00

    Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.