Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.
The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
AnalysisAI
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-204. The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences. Affected products include: Wso2 Wso2 Identity Server, Wso2 Wso2 Open Banking Iam, Wso2 Wso2 Identity Server As Key Manager, Wso2 Email Otp Authenticator, Wso2 Wso2 Carbon Authenticator Library For Emailotp.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Wso2 Identity Server
View allMemory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated att
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic
WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-16187
GHSA-r9x2-mg2v-mq96