CWE-204: Observable response discrepancy (user enumeration)

## Security Issue: CWE-204 - Observable Response Discrepancy

**Severity:** Medium
**CVSS:** 5.3

### Description
Login and password reset endpoints return different error messages for 'user not found' vs 'wrong password', enabling user enumeration attacks.

### Attack Vector
An attacker can determine if an email address is registered by observing the different error responses.

### Fix Required
1. Use identical error messages for all authentication failures
2. Example: 'Invalid email or password' for both cases
3. Apply same approach to password reset endpoint

### References
- CWE-204: Observable response discrepancy


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CWE-204: Observable response discrepancy (user enumeration) #265

Security Issue: CWE-204 - Observable Response Discrepancy

Description

Attack Vector

Fix Required

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

CWE-204: Observable response discrepancy (user enumeration) #265

Description

Security Issue: CWE-204 - Observable Response Discrepancy

Description

Attack Vector

Fix Required

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions