5.3
CVE-2025-1396
- EPSS 0.04%
- Published 26.09.2025 08:15:38
- Last modified 06.10.2025 13:44:11
- Source ed10eef1-636d-4fbe-9993-6890df
- Teams watchlist Login
- Open Login
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Data is provided by the National Vulnerability Database (NVD)
Wso2 ≫ Identity Server Version5.10.0
Wso2 ≫ Identity Server Version5.11.0
Wso2 ≫ Identity Server Version6.0.0
Wso2 ≫ Identity Server Version6.1.0
Wso2 ≫ Identity Server As Key Manager Version5.10.0
Wso2 ≫ Open Banking Iam Version2.0.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.109 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-203 Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.