Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-20633 | 2024-11-15 | 5.3 Medium | ||
| A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device. This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | ||||
| CVE-2023-49069 | 1 Siemens | 1 Mendix | 2024-11-12 | 5.3 Medium |
| A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.16.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.7 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.16 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.32 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.29 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames. | ||||
| CVE-2024-36996 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 5.3 Medium |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. | ||||
| CVE-2023-35698 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2024-10-25 | 5.3 Medium |
| Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login attempt. | ||||
| CVE-2023-37217 | 1 Tadirantele | 1 Aeonix | 2024-10-21 | 5.3 Medium |
| Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy | ||||
| CVE-2024-47129 | 1 Gotenna | 2 Gotenna Pro, Pro App | 2024-10-17 | 4.3 Medium |
| The goTenna Pro App does not inject extra characters into broadcasted frames to obfuscate the length of messages. This makes it possible to tell the length of the payload regardless of the encryption used. | ||||
| CVE-2024-41715 | 1 Gotenna | 1 Atak Plugin | 2024-10-17 | 4.3 Medium |
| The goTenna Pro ATAK Plugin does not inject extra characters into broadcasted frames to obfuscate the length of messages. This makes it possible to tell the length of the payload regardless of the encryption used. | ||||
| CVE-2023-39343 | 1 Sulu | 1 Sulu | 2024-10-03 | 4.3 Medium |
| Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. | ||||
| CVE-2023-40179 | 1 Silverwaregames | 1 Silverwaregames | 2024-10-02 | 5.3 Medium |
| Silverware Games is a premium social network where people can play games online. Prior to version 1.3.6, the Password Recovery form would throw an error if the specified email was not found in our database. It would only display the "Enter the code" form if the email is associated with a member of the site. Since version 1.3.6, the "Enter the code" form is always returned, showing the message "If the entered email is associated with an account, a code will be sent now". This change prevents potential violators from determining if our site has a user with the specified email. | ||||
| CVE-2023-3221 | 1 Password Recovery Project | 1 Password Recovery | 2024-09-30 | 5.3 Medium |
| User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database. | ||||
| CVE-2023-46170 | 2024-09-27 | 6.5 Medium | ||
| IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files after enumerating file names. | ||||
| CVE-2023-41885 | 1 Piccolo-orm | 1 Piccolo | 2024-09-26 | 5.3 Medium |
| Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on its own does not also enforce strong passwords, these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform. The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requires minimal skills to pull off, especially given the underlying login functionality for Piccolo based sites is open source. This issue has been patched in version 0.121.0. | ||||
| CVE-2023-4095 | 1 Fujitsu | 1 Arconte Aurea | 2024-09-25 | 5.3 Medium |
| User enumeration vulnerability in Arconte Áurea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform. | ||||
| CVE-2024-8651 | 1 Netcat | 2 Netcat, Netcat Content Management System | 2024-09-23 | 5.3 Medium |
| A vulnerability in NetCat CMS allows an attacker to send a specially crafted http request that can be used to check whether a user exists in the system, which could be a basis for further attacks. This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others. Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch. | ||||
| CVE-2024-6056 | 1 Nasirkhan | 1 Laravel Starter | 2024-09-23 | 3.7 Low |
| A vulnerability was found in nasirkhan Laravel Starter up to 11.8.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /forgot-password of the component Password Reset Handler. The manipulation of the argument Email leads to observable response discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268784. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-34336 | 1 Ordat | 2 Foss-online, Ordat.erp | 2024-09-18 | 5.3 Medium |
| User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality. | ||||
| CVE-2022-22520 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2024-09-17 | 5.3 Medium |
| A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. | ||||
| CVE-2021-36201 | 1 Johnsoncontrols | 2 C-cure 9000, C-cure 9000 Firmware | 2024-09-17 | 4.3 Medium |
| Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. | ||||
| CVE-2021-34580 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-09-17 | 7.5 High |
| In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts. | ||||
| CVE-2022-1989 | 1 Codesys | 1 Visualization | 2024-09-16 | 5.3 Medium |
| All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users. | ||||