CA XOsoft r12.0 and r12.5 does not properly perform authentication, which allows remote attackers to enumerate usernames via a SOAP request.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869
http://www.securityfocus.com/bid/39244
http://www.securityfocus.com/archive/1/510564/100/0/threaded