Common Weakness Enumeration

CWE-204

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

CVE-2026-44306 (GCVE-0-2026-44306)

Vulnerability from cvelistv5 – Published: 2026-05-12 21:30 – Updated: 2026-05-13 18:20
VLAI
Title
Statamic: Email enumeration via forgot password endpoint
Summary
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
Vendor Product Version
statamic cms Affected: < 5.73.21
Affected: >= 6.0.0, < 6.15.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44306",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:15:50.669186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:20:39.730Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "statamic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.73.21"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T21:30:36.390Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67"
        }
      ],
      "source": {
        "advisory": "GHSA-m24v-f7g5-gq67",
        "discovery": "UNKNOWN"
      },
      "title": "Statamic: Email enumeration via forgot password endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44306",
    "datePublished": "2026-05-12T21:30:36.390Z",
    "dateReserved": "2026-05-05T19:00:06.021Z",
    "dateUpdated": "2026-05-13T18:20:39.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45294 (GCVE-0-2026-45294)

Vulnerability from cvelistv5 – Published: 2026-05-29 19:52 – Updated: 2026-06-02 01:56
VLAI
Title
FreeScout: User Account Enumeration via Password Reset Response Differentiation
Summary
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-203 - Observable Discrepancy
  • CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45294",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T01:55:58.005065Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T01:56:24.269Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "freescout",
          "vendor": "freescout-help-desk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.219"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "CWE-203: Observable Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T19:52:22.535Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855"
        }
      ],
      "source": {
        "advisory": "GHSA-jvmv-2qcp-7855",
        "discovery": "UNKNOWN"
      },
      "title": "FreeScout: User Account Enumeration via Password Reset Response Differentiation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45294",
    "datePublished": "2026-05-29T19:52:22.535Z",
    "dateReserved": "2026-05-11T20:14:43.201Z",
    "dateUpdated": "2026-06-02T01:56:24.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45620 (GCVE-0-2026-45620)

Vulnerability from cvelistv5 – Published: 2026-05-29 13:07 – Updated: 2026-05-30 02:30
VLAI
Title
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration
Summary
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
  • CWE-285 - Improper Authorization
Assigner
References
Impacted products
Vendor Product Version
WWBN AVideo Affected: <= 29.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45620",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-30T02:30:19.772670Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-30T02:30:36.945Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match(\u0027/^@/\u0027, $_REQUEST[\u0027term\u0027]) and hard-coded rowCount=10. This enables unauthenticated user enumeration."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T13:07:19.969Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79"
        }
      ],
      "source": {
        "advisory": "GHSA-vpfx-pxqw-2w79",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45620",
    "datePublished": "2026-05-29T13:07:19.969Z",
    "dateReserved": "2026-05-12T20:31:43.449Z",
    "dateUpdated": "2026-05-30T02:30:36.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53422 (GCVE-0-2026-53422)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:28
VLAI
Title
SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
Summary
Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 3.0.1 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < * (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Mohamed Ali IBNAL HAJALI / Ericsson Michał Wąsowski Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:29:13.490797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:29:32.878Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.5.2.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.2.11.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.0.1",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "059e5785ef8c1d423820ca633fb7b37f47645172",
                  "status": "unaffected"
                },
                {
                  "at": "86622cfaacf57a02c7645d1999f946846b504c94",
                  "status": "unaffected"
                },
                {
                  "at": "c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and the operator must rely on it to provide filesystem path isolation. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default.\u003c/p\u003e"
            }
          ],
          "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1, and the operator must rely on it to provide filesystem path isolation. The root option is not set by default."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mohamed Ali IBNAL HAJALI / Ericsson"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Micha\u0142 W\u0105sowski"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eObservable Response Discrepancy vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eSSH_FXP_REALPATH\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e calls \u003ctt\u003erelate_file_name/3\u003c/tt\u003e with \u003ctt\u003eCanonicalize=false\u003c/tt\u003e, unlike every other SFTP operation handler. This allows \u003ctt\u003e..\u003c/tt\u003e components in the requested path to bypass the \u003ctt\u003eis_within_root/2\u003c/tt\u003e check without being resolved. The un-canonicalized path then enters \u003ctt\u003eresolve_symlinks/2\u003c/tt\u003e, which walks up the directory tree above the configured root and issues \u003ctt\u003eread_link()\u003c/tt\u003e syscalls on arbitrary filesystem paths.\u003c/p\u003e\u003cp\u003eAn authenticated SFTP client can exploit this by sending a \u003ctt\u003eREALPATH\u003c/tt\u003e request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (\u003ctt\u003eSSH_FXP_NAME\u003c/tt\u003e when the path resolves successfully, \u003ctt\u003eSSH_FX_NO_SUCH_FILE\u003c/tt\u003e when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\u003c/p\u003e\u003cp\u003eThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
            }
          ],
          "value": "Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204 Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:28:59.578Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53422.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53422"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53422",
    "datePublished": "2026-07-02T16:06:03.802Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-07-03T04:28:59.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53908 (GCVE-0-2026-53908)

Vulnerability from cvelistv5 – Published: 2026-07-01 11:59 – Updated: 2026-07-01 13:38
VLAI
Title
User Enumeration in MCO
Summary
MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
Vendor Product Version
MyComplianceOffice MCO Affected: 25.3.3.1 (custom)
Create a notification for this product.
Credits
Hubert Decyusz (AFINE Team)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53908",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T13:38:01.720598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T13:38:09.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "MCO",
          "vendor": "MyComplianceOffice",
          "versions": [
            {
              "status": "affected",
              "version": "25.3.3.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hubert Decyusz (AFINE Team)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.\u003cbr\u003e\u003cbr\u003eBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u0026nbsp;but may also affect other versions."
            }
          ],
          "value": "MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u00a0but may also affect other versions."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204 Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T11:59:15.246Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/07/CVE-2026-53902"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://mco.mycomplianceoffice.com/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "User Enumeration in MCO",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-53908",
    "datePublished": "2026-07-01T11:59:15.246Z",
    "dateReserved": "2026-06-11T07:44:52.179Z",
    "dateUpdated": "2026-07-01T13:38:09.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53947 (GCVE-0-2026-53947)

Vulnerability from cvelistv5 – Published: 2026-06-24 18:07 – Updated: 2026-06-25 17:09
VLAI
Title
Ghost: Member existence leak via magic link sign-in response
Summary
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
Vendor Product Version
TryGhost Ghost Affected: >= 5.18.0, < 6.21.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53947",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T17:09:11.479372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T17:09:22.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ghost",
          "vendor": "TryGhost",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.18.0, \u003c 6.21.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T18:07:42.965Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-chgm-3698-jm42",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-chgm-3698-jm42"
        }
      ],
      "source": {
        "advisory": "GHSA-chgm-3698-jm42",
        "discovery": "UNKNOWN"
      },
      "title": "Ghost: Member existence leak via magic link sign-in response"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53947",
    "datePublished": "2026-06-24T18:07:42.965Z",
    "dateReserved": "2026-06-11T15:50:01.281Z",
    "dateUpdated": "2026-06-25T17:09:22.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54445 (GCVE-0-2026-54445)

Vulnerability from cvelistv5 – Published: 2026-06-17 22:14 – Updated: 2026-06-18 15:49
VLAI
Title
Vantage6: Set admin user and password from environment or configuration
Summary
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
  • CWE-1393 - Use of Default Password
Assigner
Impacted products
Vendor Product Version
vantage6 vantage6 Affected: < 5.0.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54445",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T15:49:25.888301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T15:49:54.097Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vantage6",
          "vendor": "vantage6",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights, and the initial password is very weak and it is possible that administrators forget to reset it. Version 5.0.0 fixes the issue. As a workaround, it is possible to delete the `root` user after it has been used to create other users."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393: Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T22:14:51.461Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-fgmc-2hqj-86v4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-fgmc-2hqj-86v4"
        },
        {
          "name": "https://github.com/vantage6/vantage6/issues/1932",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vantage6/vantage6/issues/1932"
        },
        {
          "name": "https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500"
        }
      ],
      "source": {
        "advisory": "GHSA-fgmc-2hqj-86v4",
        "discovery": "UNKNOWN"
      },
      "title": "Vantage6: Set admin user and password from environment or configuration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54445",
    "datePublished": "2026-06-17T22:14:51.461Z",
    "dateReserved": "2026-06-15T15:30:40.317Z",
    "dateUpdated": "2026-06-18T15:49:54.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8242 (GCVE-0-2026-8242)

Vulnerability from cvelistv5 – Published: 2026-05-10 08:15 – Updated: 2026-05-11 17:31
VLAI
Title
Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy
Summary
A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-204 - Observable Response Discrepancy
  • CWE-203 - Information Exposure Through Discrepancy
Assigner
References
URL Tags
https://vuldb.com/vuln/362458 vdb-entrytechnical-description
https://vuldb.com/vuln/362458/cti signaturepermissions-required
https://vuldb.com/submit/808295 third-party-advisory
https://hawktrace.com/blog/caniaserp related
https://gist.github.com/0xb1lal/85422a63c10a001c7… broken-linkexploit
Impacted products
Credits
Bilal Güneş (HawkTrace) b1lal (VulDB User) b1lal (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8242",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T15:58:49.217937Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T17:31:39.315Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Login RMI Interface"
          ],
          "product": "Canias ERP",
          "vendor": "Industrial Application Software IAS",
          "versions": [
            {
              "status": "affected",
              "version": "8.03"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bilal G\u00fcne\u015f (HawkTrace)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "b1lal (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "b1lal (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "Information Exposure Through Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:10:02.762Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-362458 | Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/362458"
        },
        {
          "name": "VDB-362458 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/362458/cti"
        },
        {
          "name": "Submit #808295 | Industrial Application Software - IAS Canias ERP 8.03-- Observable Response Discrepancy (CWE-204)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/808295"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://hawktrace.com/blog/caniaserp"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://gist.github.com/0xb1lal/85422a63c10a001c75a22365457de624"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-05-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-11T15:11:24.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-8242",
    "datePublished": "2026-05-10T08:15:08.901Z",
    "dateReserved": "2026-05-09T16:33:13.131Z",
    "dateUpdated": "2026-05-11T17:31:39.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}



Mitigation ID: MIT-46

Phase: Architecture and Design

Strategy: Separation of Privilege

Description:

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation ID: MIT-39

Phase: Implementation

Description:

  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

CAPEC-332: ICMP IP 'ID' Field Error Message Probe

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.

Back to CWE stats page