CVE-2025-34255
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | nuclias_connect | to 1.3.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in D-Link Nuclias Connect firmware versions up to 1.3.1.4. The 'Forgot Password' endpoint returns different JSON responses depending on whether the provided email address is associated with an existing account. Specifically, the 'data.exist' boolean value differs, allowing an unauthenticated remote attacker to determine which email addresses/accounts are valid on the server.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to enumerate valid email addresses or accounts on the server. This can lead to privacy breaches, targeted phishing attacks, or further exploitation attempts against known accounts.