Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-204 (响应差异性信息暴露) — Vulnerability Class 134

134 vulnerabilities classified as CWE-204 (响应差异性信息暴露). AI Chinese analysis included.

CWE-204, Observable Response Discrepancy, is a design weakness where software systems provide inconsistent or distinct feedback based on internal states, inadvertently leaking sensitive information to unauthorized external actors. Attackers typically exploit this by analyzing variations in response times, error messages, or status codes to infer the existence of specific users, valid input formats, or underlying system configurations. For instance, a login system might return a generic error for invalid usernames but a specific message for invalid passwords, allowing attackers to enumerate valid accounts. To mitigate this risk, developers must ensure uniform response behaviors regardless of the specific internal failure or state. This involves standardizing error messages, normalizing response times, and implementing consistent logging practices that do not expose granular details about the application’s internal logic or data validity to the end user.

MITRE CWE Description
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
Examples (1)
The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.
my $username=param('username'); my $password=param('password'); if (IsValidUsername($username) == 1) { if (IsValidPassword($username, $password) == 1) { print "Login Successful"; } else { print "Login Failed - incorrect password"; } } else { print "Login Failed - unknown username"; }
Bad · Perl
"Login Failed - incorrect username or password"
Result
CVE IDTitleCVSSSeverityPublished
CVE-2025-46736 Umbraco Makes User Enumeration Feasible Based on Timing of Login Response — Umbraco-CMS 5.3 Medium2025-05-06
CVE-2025-24342 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 5.3 Medium2025-04-30
CVE-2025-30150 Shopware 6 allows attackers to check for registered accounts through the store-api — shopware 5.3AIMediumAI2025-04-08
CVE-2025-30280 Siemens Mendix Runtime 安全漏洞 — Mendix Runtime V10 5.3 Medium2025-04-08
CVE-2024-56476 IBM TXSeries for Multiplatforms information disclosure — TXSeries for Multiplatforms 5.3 Medium2025-04-02
CVE-2025-2910 User enumeration vulnerability in MeetMe products — MeetMe 5.3 -2025-03-28
CVE-2025-24023 Observable Response Discrepancy in flask-appbuilder — Flask-AppBuilder 3.7 Low2025-03-03
CVE-2025-1101 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 5.3 Medium2025-02-12
CVE-2025-23193 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP — SAP NetWeaver Server ABAP 5.3 Medium2025-02-11
CVE-2025-24980 Pimcore Admin Classic Bundle allows user enumeration — admin-ui-classic-bundle 5.3 -2025-02-07
CVE-2023-37413 IBM Aspera Faspex information disclosure — Aspera Faspex 5.3 Medium2025-01-29
CVE-2023-47159 IBM Sterling File Gateway information disclosure — Sterling File Gateway 4.3 Medium2025-01-27
CVE-2024-35114 IBM Control Center information disclosure — Control Center 5.3 Medium2025-01-25
CVE-2025-0693 Issue with AWS Sign-in IAM User Login Flow - Possible Username Enumeration — AWS Sign-in IAM Login Flow 5.3 Medium2025-01-23
CVE-2025-23214 Cosmos userbase checking vulnerability — Cosmos-Server 5.3 -2025-01-20
CVE-2024-36510 Fortinet FortiClientEMS和FortiSOAR 安全漏洞 — FortiClientEMS 4.9 Medium2025-01-14
CVE-2024-42174 HCL MyXalytics is affected by username enumeration vulnerability — DRYiCE MyXalytics 3.7 Low2025-01-11
CVE-2024-13198 langhsu Mblog Blog System login observable response discrepancy — Mblog Blog System 3.7 Low2025-01-09
CVE-2024-13028 Antabot White-Jotter login observable response discrepancy — White-Jotter 3.7 Low2024-12-29
CVE-2024-12663 funnyzpc Mee-Admin Login login observable response discrepancy — Mee-Admin 3.7 Low2024-12-16
CVE-2022-20633 Cisco Enterprise Chat and Email Username Enumeration Vulnerability — Cisco Enterprise Chat and Email 5.3 Medium2024-11-15
CVE-2024-41715 goTenna Pro ATAK Plugin Observable Response Discrepancy — Pro ATAK Plugin 4.3 Medium2024-09-26
CVE-2024-47129 Observable Response Discrepancy in goTenna Pro — Pro 4.3 Medium2024-09-26
CVE-2024-8651 Netcat CMS: user enumeration — NetCat CMS 5.3AIMediumAI2024-09-19
CVE-2023-49069 Siemens Mendix 安全漏洞 — Mendix Runtime V10 5.3 Medium2024-09-10
CVE-2024-42343 Loway - CWE-204: Observable Response Discrepancy — QueueMetrics 5.3 Medium2024-09-08
CVE-2024-38431 Matrix Tafnit v8 - CWE-204: Observable Response Discrepancy — Tafnit v8 5.3 Medium2024-07-30
CVE-2024-39912 Enumeration of valid usernames in web-auth/webauthn-lib — webauthn-framework 5.3 Medium2024-07-15
CVE-2024-40627 OpaMiddleware does not filter HTTP OPTIONS requests — fastapi-opa 5.8 Medium2024-07-15
CVE-2023-33859 IBM Security ReaQta information disclosure — Security QRadar EDR 5.3 Medium2024-07-10

Vulnerabilities classified as CWE-204 (响应差异性信息暴露) represent 134 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.