Primary

Context

Open eClass Username Enumeration Vulnerability

Vulnerability

Patched

A username enumeration vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows unauthenticated attackers to determine valid user accounts by exploiting inconsistencies in the login response. When a valid username is entered, the response includes a session cookie, whereas an invalid username does not. This discrepancy can be leveraged to automate the identification of valid usernames.

Impact

Exploitation of this vulnerability allows for reliable identification of valid usernames, which could be used in further attacks, such as password guessing or phishing.

Reproduction

To reproduce this vulnerability, send requests to the login endpoint with a list of usernames. Observe the response headers: valid usernames will trigger a response that includes a session cookie, while invalid usernames will not. This difference can be used to create an automated tool for username enumeration.

Remediation

Users are advised to update to Open eClass version 4.2 or later.

Added: Feb 3, 2026, 6:24 PM

Updated: Feb 3, 2026, 6:24 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

9.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

9.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open eClass Username Enumeration Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Open eClass

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating