{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2018-25350/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25350"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["userSpice"],"_cs_severities":["medium"],"_cs_tags":["username-enumeration","cve-2018-25350","web-application"],"_cs_type":"advisory","_cs_vendors":["userSpice"],"content_html":"\u003cp\u003euserSpice version 4.3.24 is vulnerable to a username enumeration attack. This vulnerability allows unauthenticated attackers to determine valid usernames within the application. By sending specially crafted POST requests to the \u003ccode\u003eexistingUsernameCheck.php\u003c/code\u003e endpoint, attackers can analyze the response from the server to determine if a submitted username is valid. This is achieved by looking for the presence of the string \u0026rsquo;taken\u0026rsquo; in the response text, indicating that the username exists. This vulnerability was reported in CVE-2018-25350. Exploitation of this vulnerability allows attackers to gather information for subsequent attacks, such as password brute-forcing or targeted phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the \u003ccode\u003eexistingUsernameCheck.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003eexistingUsernameCheck.php\u003c/code\u003e with a username to check.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the POST request to the server.\u003c/li\u003e\n\u003cli\u003eThe server processes the request and checks if the provided username exists in the database.\u003c/li\u003e\n\u003cli\u003eThe server responds with a text response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response text for the presence of the string \u0026ldquo;taken\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf \u0026ldquo;taken\u0026rdquo; is present, the attacker confirms the existence of the username.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process with different usernames to enumerate valid accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to enumerate valid usernames on the userSpice 4.3.24 platform. While this vulnerability does not directly lead to account compromise, the enumerated usernames can be used in conjunction with other attack vectors, such as password brute-forcing or targeted phishing campaigns, to gain unauthorized access to user accounts. The number of potential victims depends on the number of userSpice installations and the number of accounts on those installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrades to userSpice to versions beyond 4.3.24 to remediate CVE-2018-25350.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect userSpice Username Enumeration via existingUsernameCheck.php\u003c/code\u003e to your SIEM to identify potential enumeration attempts by monitoring POST requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003eexistingUsernameCheck.php\u003c/code\u003e as described in the attack chain to identify and investigate potential username enumeration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:55:34Z","date_published":"2026-05-26T13:55:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-userspice-username-enum/","summary":"userSpice 4.3.24 contains a username enumeration vulnerability, allowing unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint and analyzing the response for the 'taken' string.","title":"userSpice Username Enumeration Vulnerability (CVE-2018-25350)","url":"https://feed.craftedsignal.io/briefs/2026-05-userspice-username-enum/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2018-25350","version":"https://jsonfeed.org/version/1.1"}