**Name of the Vulnerable Software and Affected Versions**

WSO2 products (affected versions not specified)

**Description**

A username enumeration issue exists when Multi-Attribute Login is enabled. The system provides a different response for existing and non-existing usernames, regardless of the `validate username` setting. This allows attackers to determine valid usernames, potentially aiding in brute-force attacks, phishing, or social engineering. The API endpoint involved is the login form. The `username` parameter is vulnerable to enumeration.

**Recommendations**

At the moment, there is no information about a newer version that contains a fix for this vulnerability.