{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24664", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.386Z", "datePublished": "2026-02-03T16:56:07.167Z", "dateUpdated": "2026-02-04T16:52:52.603Z"}, "containers": {"cna": {"title": "Open eClass is Vulnerable to Username Enumeration via Login Response Discrepancies", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j"}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"version": "< 4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:07.167Z"}, "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2."}], "source": {"advisory": "GHSA-c3wq-m629-5h2j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:55:14.588969Z", "id": "CVE-2026-24664", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:52:52.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24664", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T15:55:14.588969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:55:15.312Z"}}], "cna": {"title": "Open eClass is Vulnerable to Username Enumeration via Login Response Discrepancies", "source": {"advisory": "GHSA-c3wq-m629-5h2j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"status": "affected", "version": "< 4.2"}]}], "references": [{"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j", "name": "https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:07.167Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24664", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:52:52.603Z", "dateReserved": "2026-01-23T20:40:23.386Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T16:56:07.167Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "62F1C084-2C90-4AB3-A13E-28323DC385C0", "versionEndExcluding": "4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2."}], "id": "CVE-2026-24664", "lastModified": "2026-02-10T18:49:05.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T18:16:19.377", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:19:46.508452+00:00", "value": {"mitigation_remediation": ["Upgrade the Open eClass installation to version 4.2 or later", "If an upgrade cannot be performed immediately, enforce login throttling and suppress detailed authentication error messages to mitigate information leakage", "Continuously monitor authentication logs for abnormal username enumeration attempts"], "summary": {"action": "Patch", "impact": "Username Enumeration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Open eClass platform version 4.1 and earlier, released under the Gunet project. Accounts created prior to the 4.2 release are susceptible. Administrators of public or private LMS instances should review the installed version to determine exposure.", "description_and_impact": "The Open eClass platform permits unauthenticated users to discover valid usernames by observing differences in the login response. An attacker who can query the login endpoint can determine which account names exist, which can be used to craft targeted phishing or credential-stuffing attacks. The weakness is classified as a username enumeration flaw (CWE\u2011204).", "risk_and_exploitability": "This issue has a CVSS score of 5.3, indicating a medium severity impact. The EPSS score is less than 1%, suggesting a very low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers need only access the web login page, so the attack vector is likely remote via HTTP. Because the vulnerability is present only in earlier releases, the risk can be reduced by updating to a patched version."}}}}, "created": "2026-02-04T12:09:01.075745+00:00", "updated": "2026-04-18T00:30:25.704508+00:00", "vendors": ["openeclass", "openeclass$PRODUCT$openeclass"]}