Description
The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.
Published: 2026-04-01
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Account Enumeration
Action: Disable Enumeration
AI Analysis

Impact

The vulnerability arises when the login interface returns distinct messages for valid versus invalid usernames, permitting an attacker to confirm the existence of accounts. This information disclosure allows adversaries to build a list of legitimate usernames, which can be leveraged for targeted credential guessing or phishing attacks. The weakness aligns with Information Exposure weaknesses, specifically CWE-200. The flood of valid usernames can facilitate further attacks that rely on knowing user identities, compromising overall security.

Affected Systems

Sage DPW 2021_06_004 and earlier releases prior to 2021_06_000 are affected. On-premise administrators can enable or disable this enumeration behavior in newer releases; however, older versions lack this configurable option and therefore remain vulnerable.

Risk and Exploitability

The CVSS score of 3.7 indicates a moderate risk level; the exploitation does not require advanced privileges and can be performed remotely by attempting logins against the application. No EPSS data is available, so the likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, through the publicly exposed login endpoint, and requires only publicly known usernames or guessable strings.

Generated by OpenCVE AI on April 2, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Sage DPW release where enumeration can be disabled
  • If unable to upgrade, use the on‑premise toggle to turn off distinct login response messages
  • Limit exposure by restricting the number of valid usernames visible to the public interface
  • Monitor authentication attempts for unusual patterns and apply network‑level hardening such as rate limiting

Generated by OpenCVE AI on April 2, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Account Enumeration via Distinct Login Responses in Sage DPW
First Time appeared Sage
Sage dpw
Weaknesses CWE-200
Vendors & Products Sage
Sage dpw

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AC:H/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sage Dpw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:53:44.181Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67806

cve-icon Vulnrichment

Updated: 2026-04-01T15:53:38.923Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T16:23:48.323

Modified: 2026-04-03T16:11:11.357

Link: CVE-2025-67806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:54Z

Weaknesses