CVE-2024-0391
Published: May 11, 2026
Modified: May 11, 2026
CVSS v3.1
5.3
Description
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
| Vendor | Product | Versions |
|---|---|---|
WSO2 | WSO2 Identity Server | unknown 0 - < 5.10.0affected 5.10.0 - < 5.10.0.379affected 5.11.0 - < 5.11.0.426affected 5.11.0 - < 5.11.0.431affected 6.0.0 - < 6.0.0.253+2 more versions |
WSO2 | WSO2 Open Banking IAM | unknown 0 - < 2.0.0affected 2.0.0 - < 2.0.0.318 |
WSO2 | WSO2 Identity Server as Key Manager | unknown 0 - < 5.10.0affected 5.10.0 - < 5.10.0.267 |
WSO2 | Email OTP Authenticator | affected 1.0.18 - < 1.0.18.7unaffected 1.0.24 - <= * |
WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | affected 4.1.0 - < 4.1.0.8affected 4.1.4 - < 4.1.4.9unaffected 4.1.22 - <= * |
WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | affected 3.0.5 - < 3.0.5.8affected 3.0.24 - < 3.0.24.6affected 3.0.26 - < 3.0.26.16 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now