{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-0391", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2024-01-10T09:02:14.122Z", "datePublished": "2026-05-11T08:45:33.754Z", "dateUpdated": "2026-05-11T12:46:03.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-05-11T08:45:33.754Z"}, "title": "Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-249", "descriptions": [{"lang": "en", "value": "CAPEC-249 CAPEC-249: Inferential Information Gathering"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 Identity Server", "versions": [{"status": "unknown", "version": "0", "lessThan": "5.10.0", "versionType": "custom"}, {"status": "affected", "version": "5.10.0", "lessThan": "5.10.0.379", "versionType": "custom"}, {"status": "affected", "version": "5.11.0", "lessThan": "5.11.0.426", "versionType": "custom"}, {"status": "affected", "version": "5.11.0", "lessThan": "5.11.0.431", "versionType": "custom"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.0.0.253", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThan": "6.1.0.254", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.0.0.131", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Open Banking IAM", "versions": [{"status": "unknown", "version": "0", "lessThan": "2.0.0", "versionType": "custom"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.0.318", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Identity Server as Key Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "5.10.0", "versionType": "custom"}, {"status": "affected", "version": "5.10.0", "lessThan": "5.10.0.267", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "Email OTP Authenticator", "packageName": "org.wso2.carbon.identity.local.auth.emailotp:org.wso2.carbon.identity.local.auth.emailotp", "versions": [{"status": "affected", "version": "1.0.18", "lessThan": "1.0.18.7", "versionType": "custom"}, {"status": "unaffected", "version": "1.0.24", "lessThanOrEqual": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "WSO2", "product": "WSO2 Carbon Authenticator Library For EmailOTP", "packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.identity.authenticator.emailotp", "versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.8", "versionType": "custom"}, {"status": "affected", "version": "4.1.4", "lessThan": "4.1.4.9", "versionType": "custom"}, {"status": "unaffected", "version": "4.1.22", "lessThanOrEqual": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "WSO2", "product": "WSO2 Carbon Authenticator Library For EmailOTP", "packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.extension.identity.authenticator.emailotp.connector", "versions": [{"status": "affected", "version": "3.0.5", "lessThan": "3.0.5.8", "versionType": "custom"}, {"status": "affected", "version": "3.0.24", "lessThan": "3.0.24.6", "versionType": "custom"}, {"status": "affected", "version": "3.0.26", "lessThan": "3.0.26.16", "versionType": "custom"}], "defaultStatus": "unknown"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.0", "versionEndExcluding": "5.10.0.379"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11.0", "versionEndExcluding": "5.11.0.426"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11.0", "versionEndExcluding": "5.11.0.431"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.0.253"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.0", "versionEndExcluding": "6.1.0.254"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.0.131"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.0.318"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.0", "versionEndExcluding": "5.10.0.267"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.18", "versionEndExcluding": "1.0.18.7"}, {"vulnerable": false, "criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.24", "versionEndIncluding": "*"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.0", "versionEndExcluding": "4.1.0.8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.4", "versionEndExcluding": "4.1.4.9"}, {"vulnerable": false, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.22", "versionEndIncluding": "*"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.5", "versionEndExcluding": "3.0.5.8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.24", "versionEndExcluding": "3.0.24.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.26", "versionEndExcluding": "3.0.26.16"}]}]}], "descriptions": [{"lang": "en", "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences."}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution</span></a> <br>"}]}], "source": {"advisory": "WSO2-2024-3115", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-11T12:45:51.278289Z", "id": "CVE-2024-0391", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T12:46:03.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-11T12:45:51.278289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T12:45:59.492Z"}}], "cna": {"title": "Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery", "source": {"advisory": "WSO2-2024-3115", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-249", "descriptions": [{"lang": "en", "value": "CAPEC-249 CAPEC-249: Inferential Information Gathering"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 Identity Server", "versions": [{"status": "unknown", "version": "0", "lessThan": "5.10.0", "versionType": "custom"}, {"status": "affected", "version": "5.10.0", "lessThan": "5.10.0.379", "versionType": "custom"}, {"status": "affected", "version": "5.11.0", "lessThan": "5.11.0.426", "versionType": "custom"}, {"status": "affected", "version": "5.11.0", "lessThan": "5.11.0.431", "versionType": "custom"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.0.0.253", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThan": "6.1.0.254", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.0.0.131", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Open Banking IAM", "versions": [{"status": "unknown", "version": "0", "lessThan": "2.0.0", "versionType": "custom"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.0.318", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Identity Server as Key Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "5.10.0", "versionType": "custom"}, {"status": "affected", "version": "5.10.0", "lessThan": "5.10.0.267", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "Email OTP Authenticator", "versions": [{"status": "affected", "version": "1.0.18", "lessThan": "1.0.18.7", "versionType": "custom"}, {"status": "unaffected", "version": "1.0.24", "versionType": "custom", "lessThanOrEqual": "*"}], "packageName": "org.wso2.carbon.identity.local.auth.emailotp:org.wso2.carbon.identity.local.auth.emailotp", "defaultStatus": "unknown"}, {"vendor": "WSO2", "product": "WSO2 Carbon Authenticator Library For EmailOTP", "versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.8", "versionType": "custom"}, {"status": "affected", "version": "4.1.4", "lessThan": "4.1.4.9", "versionType": "custom"}, {"status": "unaffected", "version": "4.1.22", "versionType": "custom", "lessThanOrEqual": "*"}], "packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.identity.authenticator.emailotp", "defaultStatus": "unknown"}, {"vendor": "WSO2", "product": "WSO2 Carbon Authenticator Library For EmailOTP", "versions": [{"status": "affected", "version": "3.0.5", "lessThan": "3.0.5.8", "versionType": "custom"}, {"status": "affected", "version": "3.0.24", "lessThan": "3.0.24.6", "versionType": "custom"}, {"status": "affected", "version": "3.0.26", "lessThan": "3.0.26.16", "versionType": "custom"}], "packageName": "org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.extension.identity.authenticator.emailotp.connector", "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution</span></a> <br>", "base64": false}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.", "supportingMedia": [{"type": "text/html", "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable response discrepancy"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.0.379", "versionStartIncluding": "5.10.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.11.0.426", "versionStartIncluding": "5.11.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.11.0.431", "versionStartIncluding": "5.11.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.0.253", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.0.254", "versionStartIncluding": "6.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "7.0.0.131", "versionStartIncluding": "7.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0.318", "versionStartIncluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.0.267", "versionStartIncluding": "5.10.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.18.7", "versionStartIncluding": "1.0.18"}, {"criteria": "cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*", "vulnerable": false, "versionEndIncluding": "*", "versionStartIncluding": "1.0.24"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.1.0.8", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.1.4.9", "versionStartIncluding": "4.1.4"}, {"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": false, "versionEndIncluding": "*", "versionStartIncluding": "4.1.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.0.5.8", "versionStartIncluding": "3.0.5"}, {"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.0.24.6", "versionStartIncluding": "3.0.24"}, {"criteria": "cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.0.26.16", "versionStartIncluding": "3.0.26"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-05-11T08:45:33.754Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0391", "state": "PUBLISHED", "dateUpdated": "2026-05-11T12:46:03.691Z", "dateReserved": "2024-01-10T09:02:14.122Z", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "datePublished": "2026-05-11T08:45:33.754Z", "assignerShortName": "WSO2"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences."}], "id": "CVE-2024-0391", "lastModified": "2026-05-13T15:25:04.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}, "published": "2026-05-11T10:16:11.593", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.18,1.0.18.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[1.0.24,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Email OTP Authenticator", "source": "cna", "vendor": "WSO2"}, "product": "email_otp_authenticator", "vendor": "wso2"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.10.0,5.10.0.379)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.11.0,5.11.0.426)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.11.0,5.11.0.431)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0.0,6.0.0.253)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.1.0,6.1.0.254)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0.0,7.0.0.131)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WSO2 Identity Server", "source": "cna", "vendor": "WSO2"}, "product": "identity_server", "vendor": "wso2"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.10.0,5.10.0.267)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WSO2 Identity Server as Key Manager", "source": "cna", "vendor": "WSO2"}, "product": "identity_server_as_key_manager", "vendor": "wso2"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.0.0,2.0.0.318)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WSO2 Open Banking IAM", "source": "cna", "vendor": "WSO2"}, "product": "open_banking_iam", "vendor": "wso2"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.0,4.1.0.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.4,4.1.4.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[4.1.22,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 95.0, "source": "matching"}]}, "original": {"product": "WSO2 Carbon Authenticator Library For EmailOTP", "source": "cna", "vendor": "WSO2"}, "product": "wso2_carbon_authenticator_library_for_emailotp", "vendor": "wso2"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.5,3.0.5.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.24,3.0.24.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.26,3.0.26.16)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 95.0, "source": "matching"}]}, "original": {"product": "WSO2 Carbon Authenticator Library For EmailOTP", "source": "cna", "vendor": "WSO2"}, "product": "wso2_carbon_authenticator_library_for_emailotp", "vendor": "wso2"}], "created": "2026-05-11T17:15:40.099920+00:00", "updated": "2026-05-12T09:00:06.441844+00:00", "vendors": ["wso2", "wso2$PRODUCT$email_otp_authenticator", "wso2$PRODUCT$identity_server", "wso2$PRODUCT$identity_server_as_key_manager", "wso2$PRODUCT$open_banking_iam", "wso2$PRODUCT$wso2_carbon_authenticator_library_for_emailotp"]}