CVE-2024-0391

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: ed10eef1-636d-4fbe-9993-6890dfa878f8

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

204

Observable Response Discrepancy

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control

Potential Impacts:

Read Application Data Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://security.docs.wso2.com/en/latest/security-announcem…

https://security.docs.wso2.com/en/latest/security-announcements/security-adviso…

CVE-2024-0391

Description

Observable Response Discrepancy

Common Consequences

Applicable Platforms

Iscriviti alla newsletter