5.3

CVE-2024-0391

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2Identity Server Version >= 5.10.0 < 5.10.0.379
Wso2Identity Server Version >= 5.11.0 < 5.11.0.426
Wso2Identity Server Version >= 6.0.0 < 6.0.0.253
Wso2Identity Server Version >= 6.1.0 < 6.1.0.254
Wso2Identity Server Version >= 7.0.0 < 7.0.0.131
Wso2Identity Server As Key Manager Version >= 5.10.0 < 5.10.267
Wso2Open Banking Iam Version >= 2.0.0 < 2.0.0.318
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.081
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
ed10eef1-636d-4fbe-9993-6890dfa878f8 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/
Vendor Advisory