Vulnerability in Wso2 Email Otp Authenticator
CVE-2024-0391
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-fo…
EPSS: 0.000 (11.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Affected products
- Wso2 Email Otp Authenticator — versions 1.0.18, 1.0.24
- Wso2 Identity_server
- Wso2 Identity_server_as_key_manager
- Wso2 Open_banking_iam
- Wso2 Carbon Authenticator Library For Emailotp — versions 4.1.0, 4.1.4, 4.1.22
- Wso2 Identity Server — versions 0, 5.10.0, 5.11.0
- Wso2 Identity Server As Key Manager — versions 0, 5.10.0
- Wso2 Open Banking Iam — versions 0, 2.0.0
Weakness classification (CWE)
References
- ed10eef1-636d-4fbe-9993-6890dfa878f8 (vendor-advisory, Vendor Advisory)
Frequently asked questions
- What is CVE-2024-0391?
- CVE-2024-0391 is a medium-severity vulnerability in Wso2 Email Otp Authenticator, classified under Observable Response Discrepancy. CVSS score: 5.3/10. Published 2026-05-11.
- How severe is CVE-2024-0391?
- Medium severity. CVSS v3 base score is 5.3 out of 10.