CVEbaza.plCWE DictionaryCWE-204
Common Weakness Enumeration

CWE-204

Observable Response Discrepancy

Category: BaseCVE: 161
Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

CVE vulnerabilities with CWE-204 (161)
9.3
CVSS
CRITICAL
CVE-2018-25350

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

pub. 2026-05-23
9.1
CVSS
CRITICAL
CVE-2026-33419

MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

pub. 2026-03-24
8.8
CVSS
HIGH
CVE-2025-5485

User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.

pub. 2025-06-12
7.5
CVSS
HIGH
CVE-2025-46390

CWE-204: Observable Response Discrepancy

pub. 2025-08-06
7.5
CVSS
HIGH
CVE-2025-3092

An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.

pub. 2025-06-24
7.5
CVSS
HIGH
CVE-2021-20049

A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server responses. This vulnerability impacts 10.2.1.2-24sv, 10.2.0.8-37sv and earlier 10.x versions.

pub. 2021-12-23
7.5
CVSS
HIGH
CVE-2021-34580

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

pub. 2021-10-27
7.2
CVSS
HIGH
CVE-2026-4113

An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.

pub. 2026-04-09
7.1
CVSS
HIGH
CVE-2025-61907

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

pub. 2025-10-16
6.9
CVSS
MEDIUM
CVE-2026-53908

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

pub. 2026-07-01
6.9
CVSS
MEDIUM
CVE-2026-54445

vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users.

pub. 2026-06-17
6.9
CVSS
MEDIUM
CVE-2025-69243

Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. This issue was fixed in version 1.5.0.

pub. 2026-03-16
6.9
CVSS
MEDIUM
CVE-2019-25338

DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.

pub. 2026-02-12
6.9
CVSS
MEDIUM
CVE-2025-67874

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

pub. 2025-12-16
6.9
CVSS
MEDIUM
CVE-2021-47717

IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information.

pub. 2025-12-09
6.9
CVSS
MEDIUM
CVE-2025-40806

A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.

pub. 2025-12-09
6.9
CVSS
MEDIUM
CVE-2025-59116

Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

pub. 2025-11-18
6.9
CVSS
MEDIUM
CVE-2025-34155

Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based on whether a supplied username exists or not, allowing an unauthenticated remote attacker to infer valid account identifiers. This can facilitate user enumeration and increase the likelihood of targeted brute-force or credential-stuffing attacks.

pub. 2025-10-23
6.9
CVSS
MEDIUM
CVE-2025-62236

The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.

pub. 2025-10-23
6.9
CVSS
MEDIUM
CVE-2025-34254

D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development.

pub. 2025-10-16
Showing 20 of 161 vulnerabilities
Information
ID: CWE-204
Type: Base
Vulnerabilities: 161
MITRE CWE ↗
← CWE Dictionary