CVE-2025-1396

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description A username enumeration issue exists when Multi-Attribute Login is enabled. The system provides a different response for existing and non-existing usernames, regardless of the validate username setting. This allows attackers to determine valid usernames, potentially aiding in brute-force attacks, phishing, or social engineering. The API endpoint involved is the login form. The username parameter is vulnerable to enumeration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.