Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24664 is a username enumeration vulnerability in the Open eClass platform versions up to 4.1. It allows unauthenticated attackers to identify valid usernames by analyzing differences in the login response behavior.'}, {'type': 'paragraph', 'content': 'Specifically, when a valid username is submitted to the login endpoint, the server responds with a temporary session cookie (Set-Cookie: PHPSESSID=...), but when an invalid username is submitted, no session cookie is set. This difference enables attackers to distinguish valid usernames from invalid ones.'}, {'type': 'paragraph', 'content': "Attackers can exploit this vulnerability by sending automated requests with lists of potential usernames and observing the server's responses."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to discover valid usernames on your Open eClass platform without authentication.

Knowing valid usernames can facilitate further attacks such as password guessing, phishing, or social engineering, potentially leading to unauthorized access.

However, the vulnerability does not directly impact data integrity or availability, and its confidentiality impact is considered low.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by analyzing the login response behavior of the Open eClass platform. Specifically, when submitting a username to the login endpoint, observe whether the server sets a session cookie (Set-Cookie: PHPSESSID=...). A valid username submission results in a session cookie being set, while an invalid username does not.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can perform automated HTTP requests to the login endpoint with a list of potential usernames and monitor the presence or absence of the Set-Cookie header in the responses.'}, {'type': 'paragraph', 'content': 'Example command using curl to test a username:'}, {'type': 'list_item', 'content': 'curl -i -X POST -d "username=TEST_USERNAME&password=any" https://your-openeclass-domain/login'}, {'type': 'paragraph', 'content': 'Check the response headers for the Set-Cookie field. If the PHPSESSID cookie is present, the username is likely valid; if absent, the username is invalid.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Open eClass platform to version 4.2 or later, where this username enumeration vulnerability has been patched.

Until the upgrade can be performed, consider implementing additional protections such as rate limiting login attempts, monitoring for suspicious login activity, and employing web application firewalls to detect and block automated username enumeration attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid usernames by analyzing differences in login response behavior, which leads to a low confidentiality impact.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to identify valid user accounts could potentially increase the risk of targeted attacks or unauthorized access attempts, which may have implications for protecting personal data under such regulations.

However, since the vulnerability does not directly expose sensitive personal data or compromise data integrity or availability, its impact on compliance with these regulations is likely limited but still relevant as part of an overall security posture.

Useful 0 Not Useful 0