Impact
MCO is vulnerable to User Enumeration through authentication‑related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations, enabling an attacker to identify legitimate usernames and email addresses. This is a credential disclosure weakness enumerated as CWE‑204, which can facilitate targeted phishing or credential‑guessing attacks.
Affected Systems
Affected by MyComplianceOffice MCO, version 25.3.3.1 has been confirmed to contain the vulnerability; other versions may also be impacted. No additional vendor or product information is available.
Risk and Exploitability
The CVSS score is 6.9, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Attack vectors are inferred to be via the web application, where an attacker can submit username reminder or password reset requests to observe distinct responses. No publicly documented exploits exist to date, but the ease of attempting such requests makes exploitation likely if the system is exposed to unauthenticated users.
OpenCVE Enrichment