Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-204 (响应差异性信息暴露) — Vulnerability Class 134

134 vulnerabilities classified as CWE-204 (响应差异性信息暴露). AI Chinese analysis included.

CWE-204, Observable Response Discrepancy, is a design weakness where software systems provide inconsistent or distinct feedback based on internal states, inadvertently leaking sensitive information to unauthorized external actors. Attackers typically exploit this by analyzing variations in response times, error messages, or status codes to infer the existence of specific users, valid input formats, or underlying system configurations. For instance, a login system might return a generic error for invalid usernames but a specific message for invalid passwords, allowing attackers to enumerate valid accounts. To mitigate this risk, developers must ensure uniform response behaviors regardless of the specific internal failure or state. This involves standardizing error messages, normalizing response times, and implementing consistent logging practices that do not expose granular details about the application’s internal logic or data validity to the end user.

MITRE CWE Description
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (1)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
CVE IDTitleCVSSSeverityPublished
CVE-2026-20195 Cisco Identity Services Engine Observable Response Discrepancy Vulnerability — Cisco Identity Services Engine Software 5.3 Medium2026-05-06
CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API — openaev 5.3 Medium2026-04-20
CVE-2026-34264 Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA — SAP Human Capital Management for SAP S/4HANA 6.5 Medium2026-04-14
CVE-2026-4113 SonicWALL SMA1000 安全漏洞 — SMA1000 7.5AIHighAI2026-04-09
CVE-2026-39851 Saleor has a user enumeration vulnerability due to different error messages — saleor 5.3AIMediumAI2026-04-08
CVE-2025-3716 User enumeration in ESET Protect (on-prem) — ESET Protect (on-prem) 4.3 -2026-03-30
CVE-2026-33419 MinIO: LDAP login brute-force via user enumeration and missing rate limit — minio 9.8 -2026-03-24
CVE-2026-33323 Parse Server: Email verification resend page leaks user existence — parse-server 5.3 -2026-03-24
CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint — AVideo 5.3 Medium2026-03-23
CVE-2026-30876 Chamilo LMS: User enumeration vulnerability via response — chamilo-lms 5.3AIMediumAI2026-03-16
CVE-2025-69243 User enumeration in Raytha CMS — Raytha 5.3 -2026-03-16
CVE-2025-13460 IBM Aspera Console Information Disclosure — Aspera Console 5.3 Medium2026-03-13
CVE-2025-12455 Username Enumeration Observable Response Discrepancy vulnerability has been discovered in OpenText™ Vertica. — Vertica 9.8 -2026-03-13
CVE-2026-2859 Unauthenticated Host Enumeration via Observable Response Discrepancy on Deploy Agent Endpoint — Checkmk 5.3 -2026-03-13
CVE-2026-24097 Authenticated Host Enumeration via Observable Response Discrepancy on Agent Register Existing Endpoint — Checkmk 4.3 -2026-03-13
CVE-2026-4045 projectsend Auth.php response discrepancy — projectsend 3.7 Low2026-03-12
CVE-2026-31901 Parse Server has user enumeration via email verification endpoint — parse-server 5.3AIMediumAI2026-03-11
CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint — core 5.3 Medium2026-03-11
CVE-2026-28358 NocoDB: User Enumeration via Password Reset Endpoint — nocodb 5.3AIMediumAI2026-03-02
CVE-2026-28288 Dify has a user enumeration issue — dify 5.3 -2026-02-27
CVE-2026-25138 Rucio WebUI has Username Enumeration via Login Error Message — rucio 5.3 Medium2026-02-25
CVE-2025-62512 Piwigo Vulnerable to User Enumeration via Password Reset Endpoint — Piwigo 5.3 -2026-02-24
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication — static-web-server 5.3 Medium2026-02-21
CVE-2019-25338 Dokuwiki 2018-04-22b - Username Enumeration — Dokuwiki 5.3 Medium2026-02-12
CVE-2026-25509 CI4MS Vulnerable to User Email Enumeration via Password Reset Flow — ci4ms 5.3 Medium2026-02-03
CVE-2026-24664 Open eClass is Vulnerable to Username Enumeration via Login Response Discrepancies — openeclass 5.3 Medium2026-02-03
CVE-2026-24332 Discord 安全漏洞 — WebSocket API service 4.3 Medium2026-01-22
CVE-2026-23511 ZITADEL has a user enumeration vulnerability in Login UIs — zitadel 5.3 Medium2026-01-15
CVE-2025-69413 Gitea 安全漏洞 — Gitea 5.3 Medium2026-01-01
CVE-2025-67874 ChurchCRM has plaintext password return in response — CRM 8.1AIHighAI2025-12-16

Vulnerabilities classified as CWE-204 (响应差异性信息暴露) represent 134 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.