Total
105 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1101 | 1 Q-free | 1 Maxtime | 2025-10-24 | N/A | 5.3 MEDIUM |
| A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests. | |||||
| CVE-2025-62236 | 2025-10-23 | N/A | 5.3 MEDIUM | ||
| The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks. | |||||
| CVE-2025-23193 | 1 Sap | 1 Sap Basis | 2025-10-23 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability. | |||||
| CVE-2025-34155 | 2025-10-23 | N/A | N/A | ||
| Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based on whether a supplied username exists or not, allowing an unauthenticated remote attacker to infer valid account identifiers. This can facilitate user enumeration and increase the likelihood of targeted brute-force or credential-stuffing attacks. | |||||
| CVE-2025-61789 | 2025-10-21 | N/A | 5.3 MEDIUM | ||
| Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used. | |||||
| CVE-2025-34255 | 2025-10-21 | N/A | N/A | ||
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development. | |||||
| CVE-2025-61907 | 2025-10-21 | N/A | N/A | ||
| Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13. | |||||
| CVE-2025-34254 | 2025-10-21 | N/A | N/A | ||
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development. | |||||
| CVE-2025-56764 | 1 Trivisionsecurity | 2 Trivision Nc-227wf, Trivision Nc-227wf Firmware | 2025-10-18 | N/A | 5.3 MEDIUM |
| Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. "Wrong password"), allowing an attacker to enumerate valid usernames. | |||||
| CVE-2024-1145 | 1 Alma | 1 Alma Blog | 2025-10-15 | N/A | 5.3 MEDIUM |
| User enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response. | |||||
| CVE-2025-42903 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
| A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability. | |||||
| CVE-2025-0693 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account. | |||||
| CVE-2025-58586 | 2025-10-06 | N/A | 5.3 MEDIUM | ||
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2024-13198 | 1 Mtons | 1 Mblog | 2025-09-24 | 2.6 LOW | 3.7 LOW |
| A vulnerability classified as problematic has been found in langhsu Mblog Blog System 3.5.0. Affected is an unknown function of the file /login. The manipulation leads to observable response discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54834 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | |||||
| CVE-2025-58442 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes the issue. As a workaround, rate-limit the mutation to reduce the impact. | |||||
| CVE-2025-30150 | 1 Shopware | 1 Shopware | 2025-09-10 | N/A | 5.3 MEDIUM |
| Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2025-9109 | 1 Portabilis | 1 I-diario | 2025-09-10 | 2.6 LOW | 3.7 LOW |
| A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-9824 | 2025-09-04 | N/A | 5.9 MEDIUM | ||
| ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. Technical DetailsThe vulnerability was caused by different response times when: * A valid username was provided (password hashing occurred) * An invalid username was provided (no password hashing occurred) The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. WorkaroundsNo workarounds are available. Users should upgrade to the patched version. References * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account | |||||
| CVE-2025-46736 | 1 Umbraco | 1 Umbraco Cms | 2025-09-03 | N/A | 5.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available. | |||||