CVE-2018-25350
9.8 CRITICALuserSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sendi...
Published: 2026-05-23 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-204
Description
userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-43926 — FOSSBilling is a free, open-source billing and client management system
- CVE-2026-45294 — FreeScout is a free help desk and shared inbox built with PHP's Laravel framework (5.3 MEDIUM)
- CVE-2026-45620 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
- CVE-2024-0391 — The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)
- CVE-2023-35698 — Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from th... (5.3 MEDIUM)