Total
41 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-3336 | 1 Moxa | 2 Tn-5900, Tn-5900 Firmware | 2023-08-08 | 5.3 Medium |
TN-5900 Series version 3.3 and prior versions is vulnearble to user enumeration vulnerability. The vulnerability may allow a remote attacker to determine whether a user is valid during password recovery through the web login page and enable a brute force attack with valid users. | ||||
CVE-2023-37217 | 1 Tadirantele | 1 Aeonix | 2023-08-04 | 5.3 Medium |
Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy | ||||
CVE-2023-35698 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2023-07-18 | 5.3 Medium |
Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from the response given during a failed login attempt. | ||||
CVE-2022-39315 | 1 Getkirby | 1 Kirby | 2023-07-14 | 5.3 Medium |
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached. | ||||
CVE-2023-31186 | 1 Avaya | 1 Ix Workforce Engagement | 2023-06-02 | 5.3 Medium |
Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy | ||||
CVE-2023-32346 | 1 Teltonika | 1 Remote Management System | 2023-05-31 | 5.3 Medium |
Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. | ||||
CVE-2023-28412 | 2 Control4, Snapone | 13 Ca-1, Ca-10, Ea-1 and 10 more | 2023-05-30 | 5.3 Medium |
When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information. | ||||
CVE-2023-23449 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2023-05-25 | 5.3 Medium |
Observable Response Discrepancy in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to gain information about valid usernames by analyzing challenge responses from the server via the REST interface. | ||||
CVE-2023-27464 | 1 Mendix | 1 Forgot Password | 2023-04-19 | 5.3 Medium |
A vulnerability has been identified in Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.1), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.1), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.1.1). The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information. | ||||
CVE-2023-1540 | 1 Answer | 1 Answer | 2023-03-23 | 5.3 Medium |
Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6. | ||||
CVE-2022-41697 | 1 Ghost | 1 Ghost | 2022-12-29 | 5.3 Medium |
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability. | ||||
CVE-2021-36201 | 1 Johnsoncontrols | 2 C-cure 9000, C-cure 9000 Firmware | 2022-12-09 | 5.3 Medium |
Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. | ||||
CVE-2022-22520 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2022-10-01 | 5.3 Medium |
A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. | ||||
CVE-2022-1989 | 1 Codesys | 1 Visualization | 2022-08-26 | 5.3 Medium |
All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users. | ||||
CVE-2021-20049 | 1 Sonicwall | 12 Sma100, Sma200, Sma210 and 9 more | 2022-07-08 | 7.5 High |
A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server responses. This vulnerability impacts 10.2.1.2-24sv, 10.2.0.8-37sv and earlier 10.x versions. | ||||
CVE-2022-31248 | 1 Suse | 1 Manager Server | 2022-06-30 | 5.3 Medium |
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1. | ||||
CVE-2021-34580 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-11-01 | 7.5 High |
In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts. | ||||
CVE-2021-38476 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 5.3 Medium |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. This may allow an attacker to enumerate different user accounts. | ||||
CVE-2021-39189 | 1 Pimcore | 1 Pimcore | 2021-09-27 | 5.3 Medium |
Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually. | ||||
CVE-2020-11063 | 1 Typo3 | 1 Typo3 | 2020-05-15 | 3.7 Low |
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. |