Chanpu9

**Name of the Vulnerable Software and Affected Versions** HumHub Social Network Kit Enterprise version 1.3.13 **Description** The issue allows remote attackers to find existing user accounts on Social Network Kits, including self-hosted ones, by brute-forcing the username after the "/u/" initial URI substring. This is due to a response discrepancy information exposure. **Recommendations** For HumHub Social Network Kit Enterprise version 1.3.13, consider restricting access to the "/u/" API endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, implement rate limiting or IP blocking to prevent brute-force attacks on user accounts.