CVE-2018-25350 PUBLISHED

userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php

Assigner: VulnCheck
Reserved: 23.05.2026 Published: 23.05.2026 Updated: 23.05.2026

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor UserSpice
Product userSpice
Versions
  • Version 4.3.24 is affected

Credits

  • Dolev Farhi finder

References

Problem Types

  • Observable Response Discrepancy CWE