Total
67 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52899 | 2025-07-31 | N/A | 5.3 MEDIUM | ||
| Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2. | |||||
| CVE-2025-54834 | 2025-07-31 | N/A | 5.3 MEDIUM | ||
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | |||||
| CVE-2022-20633 | 1 Cisco | 1 Enterprise Chat And Email | 2025-07-31 | N/A | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device. This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2025-54129 | 2025-07-22 | N/A | 4.3 MEDIUM | ||
| HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. In versions 11.0.4 and below, the application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This can be used to infer the existence of valid user accounts. An authenticated attacker can use automated tooling to brute force potential usernames and use the application's response to identify valid accounts. This can be used in conjunction with other vulnerabilities, such as the lack of authorization checks, to enumerate and deface another user's sites. This is fixed in version 11.0.5. | |||||
| CVE-2024-56476 | 2 Ibm, Linux | 3 Aix, Txseries For Multiplatforms, Linux Kernel | 2025-07-15 | N/A | 5.3 MEDIUM |
| IBM TXSeries for Multiplatforms 9.1 and 11.1 could allow an attacker to enumerate usernames due to an observable login attempt response discrepancy. | |||||
| CVE-2025-27451 | 2025-07-03 | N/A | 5.3 MEDIUM | ||
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2025-3092 | 2025-06-26 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. | |||||
| CVE-2025-5485 | 2025-06-16 | N/A | 8.6 HIGH | ||
| User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences. | |||||
| CVE-2025-49187 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2025-0163 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts. | |||||
| CVE-2025-30280 | 2025-06-10 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions < V8.18.35), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application. | |||||
| CVE-2025-3939 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2025-06-04 | N/A | 5.3 MEDIUM |
| Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2024-24766 | 1 Icewhale | 1 Casaos-userservice | 2025-05-28 | N/A | 6.2 MEDIUM |
| CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue. | |||||
| CVE-2025-48015 | 2025-05-21 | N/A | 3.7 LOW | ||
| Failed login response could be different depending on whether the username was local or central. | |||||
| CVE-2024-42174 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 3.7 LOW |
| HCL MyXalytics is affected by username enumeration vulnerability. This allows a malicious user to perform enumeration of application users, and therefore compile a list of valid usernames. | |||||
| CVE-2024-51447 | 2025-05-13 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames. | |||||
| CVE-2025-46736 | 2025-05-07 | N/A | 5.3 MEDIUM | ||
| Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available. | |||||
| CVE-2025-24342 | 2025-05-02 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests. | |||||
| CVE-2024-33856 | 1 Logpoint | 1 Siem | 2025-04-18 | N/A | 5.3 MEDIUM |
| An issue was discovered in Logpoint before 7.4.0. An attacker can enumerate a valid list of usernames by observing the response time at the Forgot Password endpoint. | |||||
| CVE-2019-19030 | 1 Linuxfoundation | 1 Harbor | 2025-04-14 | N/A | 5.3 MEDIUM |
| Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. | |||||