CVE-2018-25350
CriticalSummary
userSpice version 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint.
Risk Assessment
Attackers can identify existing accounts in the system, which may lead to further attacks such as credential stuffing or phishing.
Recommendation
It is recommended to restrict access to the existingUsernameCheck.php endpoint for unauthorized users and implement additional security measures.
Original NVD description (English source)
userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

