Threats Tagged 'cwe-208'

FilamentPHP filament versions from 4.0.0 up to but not including 4.11.5 and 5.6.5 contain a timing discrepancy vulnerability on the login page. This flaw allows unauthenticated attackers to enumerate registered email addresses by observing response time differences. The vulnerability only discloses account existence information and does not impact confidentiality, integrity, or availability beyond that. It is fixed starting from versions 4.11.5 and 5.6.5.

CVE-2026-48859 is a timing side-channel vulnerability in Erlang/OTP's SSH authentication modules ssh_auth and ssh_options. It allows unauthenticated remote attackers to enumerate valid usernames by measuring the time taken during password authentication attempts. The vulnerability arises because valid usernames trigger a costly PBKDF2-SHA256 computation (~300ms), whereas invalid usernames return immediately (~0ms). This issue affects OTP versions from 29.0 before 29.0.2 and SSH versions from 6.0 before 6.0.1. The vulnerable user_passwords and password options are intended for testing, with the recommended alternative being pwdfun, which is not affected.

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.