关键信息 漏洞名称: D-Link Nuclias Connect <= v1.3.1.4 Forgot Password Account Enumeration 严重性: MEDIUM 日期: October 16, 2025 影响版本: Nuclias Connect <= 1.3.1.4 CVE编号: CVE-2025-34255 CWE编号: CWE-204 Observable Response Discrepancy CVSS评分: 6.9 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VL:N/VA:N/SC:N/SI:N/SA:N 参考链接: - D-Link Advisory - D-Link Nuclias Connect 发现者: Alex Williams from Pellera Technologies 描述: - D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the 'data.exist' boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development.