### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password is very weak and it is possible that administrators forget to reset it. ### Patches No ### Workarounds It is possible t

FreeScout 是一个基于 PHP 的 Laravel 框架构建的免费帮助台和共享收件箱系统。在版本 1.8.219 之前，其密码重置端点会针对提交的邮箱地址是否属于有效用户账户返回视觉上不同的响应（例如，存在账户时返回“重置链接已发送”，不存在时返回“邮箱未注册”等不同提示），从而允许未经身份验证的攻击者枚举有效的帮助台代理邮箱地址。此漏洞属于敏感信息泄露，攻击者可以利用枚举到的邮箱发起定向钓鱼攻击或进一步暴力破解。该漏洞影响所有低于 1.8.219 的版本。厂商已在 1.8.219 版本中修复此问题，修复方式为统一响应内容，不再区分账户是否存在。建议所有用户立即升级至最新版本。此外，可考虑在网络层面限制对密码重置端点的外部访问，或添加验证码等防护机制以减缓枚举攻击。

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking

A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit ha

## Summary The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to `/api/v4/account/auth/resend_verification_email` and distinguish accounts from misses. ## Details `resend_verification_email()` looks up the submitted address and returns the lookup error to the caller: