User Enumeration

medium Web App Scanning Plugin ID 114947

Language:

Synopsis

User Enumeration

Description

The scanner has detected a potential user enumeration vulnerability in the web application. This vulnerability allows an attacker to determine valid usernames by observing the application's responses.

Solution

Ensure that user enumeration vulnerabilities are mitigated by implementing proper authentication mechanisms and generic error messages, rate limiting, and other techniques to prevent attackers from determining valid usernames.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Plugin Details

Severity: Medium

ID: 114947

Type: remote

Family: Data Exposure

Published: 9/3/2025

Updated: 9/19/2025

Scan Template: api, basic, full, mcp, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 200

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Information Leakage

CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-15

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

OWASP ASVS: 4.0.2-8.3.4

PCI-DSS: 3.2-6.5.8