Total
648 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38465 | 1 Guoxinled | 1 Synthesis Image System | 2025-03-14 | N/A | 5.3 MEDIUM |
| Shenzhen Guoxin Synthesis image system before 8.3.0 allows username enumeration because of the response discrepancy of incorrect versus error. | |||||
| CVE-2024-5697 | 1 Mozilla | 1 Firefox | 2025-03-13 | N/A | 4.3 MEDIUM |
| A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. This vulnerability affects Firefox < 127. | |||||
| CVE-2024-39921 | 1 Fujitsu | 38 Ipcom Ex2 Dc 3200, Ipcom Ex2 Dc 3200 Firmware, Ipcom Ex2 Dc 3500 and 35 more | 2025-03-13 | N/A | 7.5 HIGH |
| Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301, and IPCOM VE2 Series V01L04NF0001 to V01L06NF0112. If this vulnerability is exploited, some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication. | |||||
| CVE-2024-41760 | 2025-03-11 | N/A | 3.7 LOW | ||
| IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an attacker to obtain sensitive information due to a timing attack during certain RSA operations. | |||||
| CVE-2022-21659 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-03-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue. | |||||
| CVE-2021-29621 | 2 Apache, Dpgaspar | 2 Airflow, Flask-appbuilder | 2025-03-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve. | |||||
| CVE-2024-45089 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | N/A | 4.3 MEDIUM |
| IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy. | |||||
| CVE-2021-46876 | 1 Ibexa | 1 Ez Platform Kernel | 2025-03-05 | N/A | 5.3 MEDIUM |
| An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence. | |||||
| CVE-2023-37413 | 1 Ibm | 1 Aspera Faspex | 2025-03-04 | N/A | 5.3 MEDIUM |
| IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy. | |||||
| CVE-2024-41335 | 2025-02-28 | N/A | 7.5 HIGH | ||
| Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks. | |||||
| CVE-2024-30040 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-02-24 | N/A | 8.8 HIGH |
| Windows MSHTML Platform Security Feature Bypass Vulnerability | |||||
| CVE-2025-24011 | 1 Umbraco | 1 Umbraco Cms | 2025-02-20 | N/A | 5.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | |||||
| CVE-2023-26071 | 1 Harpaitalia | 1 Mcuboict | 2025-02-19 | N/A | 7.5 HIGH |
| An issue was discovered in MCUBO ICT through 10.12.4 (aka 6.0.2). An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. That allow an unauthorized actor to perform User Enumeration attacks. | |||||
| CVE-2023-3897 | 1 42gears | 1 Suremdm | 2025-02-13 | N/A | 4.8 MEDIUM |
| Username enumeration is possible through Bypassing CAPTCHA in On-premise SureMDM Solution on Windows deployment allows attacker to enumerate local user information via error message. This issue affects SureMDM On-premise: 6.31 and below version | |||||
| CVE-2023-1998 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-02-13 | N/A | 5.6 MEDIUM |
| The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. | |||||
| CVE-2019-16782 | 3 Fedoraproject, Opensuse, Rack | 3 Fedora, Leap, Rack | 2025-02-13 | 4.3 MEDIUM | 6.3 MEDIUM |
| There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. | |||||
| CVE-2023-50306 | 1 Ibm | 1 Common Licensing | 2025-02-12 | N/A | 4.0 MEDIUM |
| IBM Common Licensing 9.0 could allow a local user to enumerate usernames due to an observable response discrepancy. IBM X-Force ID: 273337. | |||||
| CVE-2024-28868 | 1 Umbraco | 1 Umbraco Cms | 2025-02-12 | N/A | 3.7 LOW |
| Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. | |||||
| CVE-2024-30257 | 1 Fit2cloud | 1 1panel | 2025-02-11 | N/A | 3.9 LOW |
| 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts. | |||||
| CVE-2023-37482 | 2025-02-11 | N/A | 5.3 MEDIUM | ||
| The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames. | |||||