CVE Catalog

CVE-2018-25350

Critical
Published: Translated: NVD NIST

Summary

userSpice version 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint.

Risk Assessment

Attackers can identify existing accounts in the system, which may lead to further attacks such as credential stuffing or phishing.

Recommendation

It is recommended to restrict access to the existingUsernameCheck.php endpoint for unauthorized users and implement additional security measures.

Original NVD description (English source)

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS