Information Exposure
Pritunl allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return err However, if the username is valid, then login attempts, the server will start responding with err Invalid usernames will receive err indefinitely.