VYPR

CWE-204

Observable Response Discrepancy

BaseIncomplete

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-331 · CAPEC-332 · CAPEC-541 · CAPEC-580

CVEs mapped to this weakness (79)

page 4 of 4
  • CVE-2025-30150Apr 8, 2025
    risk 0.00cvss epss 0.00

    Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the…

  • CVE-2025-24023Mar 3, 2025
    risk 0.00cvss epss 0.00

    Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

  • CVE-2025-24980Feb 7, 2025
    risk 0.00cvss epss 0.00

    pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been…

  • CVE-2024-45231Oct 8, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and…

  • CVE-2024-47059Sep 18, 2024
    risk 0.00cvss epss 0.00

    When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’…

  • CVE-2024-28232Apr 1, 2024
    risk 0.00cvss epss 0.01

    Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in…

  • CVE-2024-28868Mar 20, 2024
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively…

  • CVE-2024-24766Mar 6, 2024
    risk 0.00cvss epss 0.01

    CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the…

  • CVE-2024-25146Feb 8, 2024
    risk 0.00cvss epss 0.01

    Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have…

  • CVE-2023-41885Sep 12, 2023
    risk 0.00cvss epss 0.00

    Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo…

  • CVE-2023-39343Aug 4, 2023
    risk 0.00cvss epss 0.01

    Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version…

  • CVE-2023-1540Mar 21, 2023
    risk 0.00cvss epss 0.01

    Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

  • CVE-2022-39228Mar 1, 2023
    risk 0.00cvss epss 0.01

    vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a…

  • CVE-2019-19030Dec 26, 2022
    risk 0.00cvss epss 0.02

    Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.

  • CVE-2022-39315Oct 25, 2022
    risk 0.00cvss epss 0.01

    Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks…

  • CVE-2022-39314Oct 24, 2022
    risk 0.00cvss epss 0.00

    Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth…

  • CVE-2022-21659Jan 31, 2022
    risk 0.00cvss epss 0.01

    Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response…

  • CVE-2021-39189Sep 15, 2021
    risk 0.00cvss epss 0.01

    Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

  • CVE-2020-11063May 13, 2020
    risk 0.00cvss epss 0.01

    In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has…