Vishal Tomar

**Name of the Vulnerable Software and Affected Versions** PlexTrac versions prior to 1.28.0 **Description** The issue allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. An unauthenticated remote attacker can enumerate valid users by measuring the response time of login attempts, as valid, unlocked users take significantly longer to process than invalid users. However, the lockout policy implemented in version 1.17.0 prevents distinguishing between valid, locked user accounts and non-existent user accounts. **Recommendations** For versions prior to 1.28.0, update to version 1.28.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.