CVE-2024-0391 | THREATINT

Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

PUBLISHED Reserved 2024-01-10 | Published 2026-05-11 | Updated 2026-05-11 | Assigner WSO2

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-204 Observable response discrepancy

Product status

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.379

affected

5.11.0 (custom) before 5.11.0.426

affected

5.11.0 (custom) before 5.11.0.431

affected

6.0.0 (custom) before 6.0.0.253

affected

6.1.0 (custom) before 6.1.0.254

affected

7.0.0 (custom) before 7.0.0.131

affected

Default status

unaffected

Any version before 2.0.0

unknown

2.0.0 (custom) before 2.0.0.318

affected

Default status

unaffected

Any version before 5.10.0

unknown

5.10.0 (custom) before 5.10.0.267

affected

Default status

unknown

1.0.18 (custom) before 1.0.18.7

affected

1.0.24 (custom)

unaffected

Default status

unknown

4.1.0 (custom) before 4.1.0.8

affected

4.1.4 (custom) before 4.1.4.9

affected

4.1.22 (custom)

unaffected

Default status

unknown

3.0.5 (custom) before 3.0.5.8

affected

3.0.24 (custom) before 3.0.24.6

affected

3.0.26 (custom) before 3.0.26.16

affected

References

security.docs.wso2.com/...ty-advisories/2026/WSO2-2024-3115/ vendor-advisory

cve.org (CVE-2024-0391)

nvd.nist.gov (CVE-2024-0391)

Download JSON