CWE-204(Observable Response Discrepancy)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-43926 | 2026-06-04 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API… |
| CVE-2026-45294 | 2026-05-29 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted … |
| CVE-2026-45620 | 2026-05-29 | WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) a… |
| CVE-2018-25350 | 2026-05-23 | userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Att… |
| CVE-2026-44306 | 2026-05-12 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email addr… |
| CVE-2024-0391 | 2026-05-11 | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid user… |
| CVE-2026-8242 | 2026-05-10 | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results … |
| CVE-2026-20195 | 2026-05-06 | A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists… |
| CVE-2026-34319 | 2026-04-21 | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulne… |
| CVE-2026-24468 | 2026-04-20 | OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/… |
| CVE-2026-40485 | 2026-04-18 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a … |
| CVE-2026-34264 | 2026-04-14 | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the … |
| CVE-2026-4113 | 2026-04-09 | An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials. |
| CVE-2026-39851 | 2026-04-08 | Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in erro… |
| CVE-2025-67807 | 2026-04-01 | The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administra… |
| CVE-2025-67806 | 2026-04-01 | The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administra… |
| CVE-2025-3716 | 2026-03-30 | User enumeration in ESET Protect (on-prem) via Response Timing. |
| CVE-2026-33419 | 2026-03-24 | MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credenti… |
| CVE-2026-33323 | 2026-03-24 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for rese… |
| CVE-2026-33688 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks be… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Relationship_Notes, Taxonomy_Mappings |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description, Potential_Mitigations |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Demonstrative_Examples |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Description, Name, Observed_Examples |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, Observed_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Name, Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Potential_Mitigations |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Description, Diagram, Modes_of_Introduction |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Weakness_Ordinalities |