CVE-2024-0391
5.3 MEDIUMThe check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis...
Published: 2026-05-11 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-204
Affected products
| Vendor | Product |
|---|---|
| wso2 | identity_server, identity_server_as_key_manager, open_banking_iam |
Description
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2025-9973 — Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut... (6.4 MEDIUM)
- CVE-2025-10470 — The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l... (8.6 HIGH)
- CVE-2025-8325 — The software fails to enforce role-based access controls for certain Gateway API invocations (6.3 MEDIUM)
- CVE-2025-8154 — In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat... (5.3 MEDIUM)
- CVE-2025-10908 — Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ... (7.3 HIGH)
Same CWE
- CVE-2026-43926 — FOSSBilling is a free, open-source billing and client management system
- CVE-2026-45294 — FreeScout is a free help desk and shared inbox built with PHP's Laravel framework (5.3 MEDIUM)
- CVE-2026-45620 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
- CVE-2018-25350 — userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sendi... (9.8 CRITICAL)
- CVE-2023-35698 — Observable Response Discrepancy in the SICK ICR890-4 could allow a remote attacker to identify valid usernames for the FTP server from th... (5.3 MEDIUM)