FKIE_CVE-2024-0391

Vulnerability from fkie_nvd - Published: 2026-05-11 10:16 - Updated: 2026-05-27 19:54
Severity
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
References
ed10eef1-636d-4fbe-9993-6890dfa878f8https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/Vendor Advisory
Impacted products
Vendor Product Version
wso2 identity_server *
wso2 identity_server *
wso2 identity_server *
wso2 identity_server *
wso2 identity_server *
wso2 identity_server_as_key_manager *
wso2 open_banking_iam *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "760849A7-CF72-4CF1-BEC6-8E47AC5ADE29",
              "versionEndExcluding": "5.10.0.379",
              "versionStartIncluding": "5.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4F45B46-613A-4DE3-B6BB-A30D635A860E",
              "versionEndExcluding": "5.11.0.426",
              "versionStartIncluding": "5.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7AE280EA-5F20-4D83-A72A-07526AF65067",
              "versionEndExcluding": "6.0.0.253",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A34A0057-4EE7-4D20-A343-09592A508849",
              "versionEndExcluding": "6.1.0.254",
              "versionStartIncluding": "6.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "110F5D8D-32E8-4E7B-8925-D04781FC8B2D",
              "versionEndExcluding": "7.0.0.131",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAEE7A87-67DA-4266-B0D0-7E4FD5475B4F",
              "versionEndExcluding": "5.10.267",
              "versionStartIncluding": "5.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wso2:open_banking_iam:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D551292-3788-4775-B02A-1C8CA02AFECC",
              "versionEndExcluding": "2.0.0.318",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization\u0027s reputation and leading to regulatory non-compliance and financial consequences."
    }
  ],
  "id": "CVE-2024-0391",
  "lastModified": "2026-05-27T19:54:32.347",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-11T10:16:11.593",
  "references": [
    {
      "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/"
    }
  ],
  "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ],
      "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.