CVE-2024-0391

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

11/05/2026

Last modified:

11/05/2026

Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.<br /> <br /> The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization&#39;s reputation and leading to regulatory non-compliance and financial consequences.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None

Base Score 3.x

5.30

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/