# CVE-2024-39211 (Kaiten User Enumeration)
[Kaiten]( - a workflow management system, is vulnerable to unrestricted brute force attacks on user logins and email addresses registered in the system via a simple POST request.

_Discovered by [Tom Hunter](


[CVE MITRE Description](


## Usage
Simple download bash script and run with custom wordlists _(only login, not e-mails!)_
bash <> <wordlists_users>
As Result:


## Wordlists
Companies often use login policies based on combinations of first and last names, for example, Anton Ivanov = aivanov or a_ivanov. Accordingly, below are links to a large set of Russian names and surnames:
- [Russian top names](
- [Russian top Surnames (100k lines)](

This repository contains archive of wordlist with a basic set of 2.5 million combinations of the form `aivanov`.

## Mitigation
- Update Kaiten software to last version
- Implement basic CAPTCHA or rate limits
- Do not send error-based responses (fix yourself)