Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-204 (响应差异性信息暴露) — Vulnerability Class 135

135 vulnerabilities classified as CWE-204 (响应差异性信息暴露). AI Chinese analysis included.

CWE-204, Observable Response Discrepancy, is a design weakness where software systems provide inconsistent or distinct feedback based on internal states, inadvertently leaking sensitive information to unauthorized external actors. Attackers typically exploit this by analyzing variations in response times, error messages, or status codes to infer the existence of specific users, valid input formats, or underlying system configurations. For instance, a login system might return a generic error for invalid usernames but a specific message for invalid passwords, allowing attackers to enumerate valid accounts. To mitigate this risk, developers must ensure uniform response behaviors regardless of the specific internal failure or state. This involves standardizing error messages, normalizing response times, and implementing consistent logging practices that do not expose granular details about the application’s internal logic or data validity to the end user.

MITRE CWE Description
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (1)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
CVE IDTitleCVSSSeverityPublished
CVE-2025-67874 ChurchCRM has plaintext password return in response — CRM 8.1AIHighAI2025-12-16
CVE-2025-62181 Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. — Pega Infinity 5.3 Medium2025-12-10
CVE-2025-67500 Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration — mastodon 3.7 Low2025-12-09
CVE-2021-47717 IntelliChoice eFORCE Software Suite Username Enumeration — IntelliChoice eFORCE Software Suite 5.3AIMediumAI2025-12-09
CVE-2025-40806 Siemens Gridscale X Prepay 安全漏洞 — Gridscale X Prepay 5.3 Medium2025-12-09
CVE-2025-12994 Medtronic CareLink Network 安全漏洞 — CareLink Network 5.3 Medium2025-12-04
CVE-2025-66307 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure — grav 6.5 Medium2025-12-01
CVE-2025-59116 User enumeration in Windu CMS — Windu CMS 5.3AIMediumAI2025-11-18
CVE-2025-25236 Omnissa Workspace ONE UEM 安全漏洞 — Omnissa Workspace ONE UEM 5.3 Medium2025-11-12
CVE-2025-62236 Frontier Airlines publicly available email address validation — flyfrontier.com 5.3 Medium2025-10-23
CVE-2025-34155 Tibbo AggreGate Network Manager < 6.40.05 Login Functionality User Enumeration — AggreGate Network Manager 8.2AIHighAI2025-10-23
CVE-2025-34255 D-Link Nuclias Connect <= v1.3.1.4 Forgot Password Account Enumeration — Nuclias Connect 5.3AIMediumAI2025-10-16
CVE-2025-34254 D-Link Nuclias Connect <= v1.3.1.4 Login Account Enumeration — Nuclias Connect 5.3AIMediumAI2025-10-16
CVE-2025-61789 Icinga DB Web hidden/protected custom variables are prone to filter enumeration — icingadb-web 5.3 Medium2025-10-16
CVE-2025-42903 User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management — SAP Financial Service Claims Management 4.3 Medium2025-10-14
CVE-2025-58586 User Enumeration by excessive error output — Baggage Analytics 5.3 Medium2025-10-06
CVE-2025-58442 Saleor has user enumeration vulnerability due to different error messages — saleor 5.3 Medium2025-09-09
CVE-2025-9824 User Enumeration via Response Timing — Mautic 5.9 Medium2025-09-03
CVE-2025-9109 Portabilis i-Diario Password Recovery Endpoint email observable response discrepancy — i-Diario 3.7 Low2025-08-18
CVE-2025-46390 Emby MediaBrowser 安全漏洞 — MediaBrowser 7.5 High2025-08-06
CVE-2025-54834 OPEXUS FOIAXpress Public Access Link (PAL) unauthenticated username enumeration — FOIAXpress Public Access Link (PAL) 5.3 Medium2025-07-31
CVE-2025-52899 Tuleap vulnerable to user enumeration via the lost password form — tuleap 5.3 Medium2025-07-29
CVE-2025-54129 HAXiam allows for User Enumeration — issues 4.3 Medium2025-07-21
CVE-2025-27451 CVE-2025-27451 — Endress+Hauser MEAC300-FNADE4 5.3 Medium2025-07-03
CVE-2025-3092 MB connect line: Observable response discrepancy in mbCONNECT24/mymbCONNECT24 — myREX24 7.5 High2025-06-24
CVE-2025-5485 SinoTrack GPS Receiver Weak Authentication — IOT PC Platform 8.6 High2025-06-12
CVE-2025-49187 User enumeration — SICK Field Analytics 5.3 Medium2025-06-12
CVE-2025-0163 IBM Security Verify Access information disclosure — Security Verify Access 5.3 Medium2025-06-11
CVE-2025-3939 Observable Response Discrepancy — Niagara Framework 5.3 Medium2025-05-22
CVE-2025-48015 Observable Response Discrepancy — SEL-5056 Software-Defined Network Flow Controller 3.7 Low2025-05-20

Vulnerabilities classified as CWE-204 (响应差异性信息暴露) represent 135 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.