CWE-202
AllowedExposure of Sensitive Information Through Data Queries
Abstraction: Base · Status: Draft
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
59 vulnerabilities reference this CWE, most recent first.
GHSA-784Q-2FW8-CPW8
Vulnerability from github – Published: 2024-05-22 09:31 – Updated: 2024-05-22 09:31The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.
{
"affected": [],
"aliases": [
"CVE-2024-2088"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T07:15:12Z",
"severity": "HIGH"
},
"details": "The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the \u0027nxs_getExpSettings\u0027 function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.",
"id": "GHSA-784q-2fw8-cpw8",
"modified": "2024-05-22T09:31:46Z",
"published": "2024-05-22T09:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2088"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php#L620"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3084635/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php?contextall=1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70724bc7-c1f4-4965-8bba-99b2ed21d34b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-79HX-3FP8-HJ66
Vulnerability from github – Published: 2025-09-17 20:11 – Updated: 2025-09-26 16:18Impact
A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.
file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode)
if err != nil {
return 0, err
}
defer file.Close()
if _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil {
return 0, err
}
n, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length))
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dragonflyoss/dragonfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "d7y.io/dragonfly/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59352"
],
"database_specific": {
"cwe_ids": [
"CWE-202",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T20:11:13Z",
"nvd_published_at": "2025-09-17T20:15:37Z",
"severity": "MODERATE"
},
"details": "### Impact\nA peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers\u2019 secret data and to gain remote code execution (RCE) capabilities on the peer\u2019s machine.\n\n```golang\nfile, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode)\nif err != nil {\n return 0, err\n}\ndefer file.Close()\nif _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil {\n return 0, err\n}\nn, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length))\n```\n\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
"id": "GHSA-79hx-3fp8-hj66",
"modified": "2025-09-26T16:18:51Z",
"published": "2025-09-17T20:11:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59352"
},
{
"type": "PACKAGE",
"url": "https://github.com/dragonflyoss/dragonfly"
},
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"type": "CVSS_V4"
}
],
"summary": "DragonFly vulnerable to arbitrary file read and write on a peer machine"
}
GHSA-7M85-P686-23RM
Vulnerability from github – Published: 2026-03-21 06:30 – Updated: 2026-03-21 06:30The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.
{
"affected": [],
"aliases": [
"CVE-2026-3546"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-21T04:17:27Z",
"severity": "MODERATE"
},
"details": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can(\u0027manage_options\u0027)) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim\u0027s e-shot platform account.",
"id": "GHSA-7m85-p686-23rm",
"modified": "2026-03-21T06:30:25Z",
"published": "2026-03-21T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3546"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-82GM-Q2VC-G3X3
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-05-14 00:01A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker could exploit this vulnerability by sending a crafted API request to Cisco vManage as a lower-privileged user and gaining access to sensitive information that they would not normally be authorized to access.
{
"affected": [],
"aliases": [
"CVE-2022-20747"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker could exploit this vulnerability by sending a crafted API request to Cisco vManage as a lower-privileged user and gaining access to sensitive information that they would not normally be authorized to access.",
"id": "GHSA-82gm-q2vc-g3x3",
"modified": "2022-05-14T00:01:19Z",
"published": "2022-04-16T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20747"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-infodis-73sHJNEq"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-87XG-G898-RH5Q
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Exposure of Sensitive Information Through Data Queries vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-36575"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T18:15:31Z",
"severity": "HIGH"
},
"details": "Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Exposure of Sensitive Information Through Data Queries vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-87xg-g898-rh5q",
"modified": "2025-06-10T18:32:32Z",
"published": "2025-06-10T18:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36575"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000325679/dsa-2025-226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CG9-4H4F-J6FG
Vulnerability from github – Published: 2025-12-30 15:31 – Updated: 2025-12-30 15:31Summary
An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.
Details
The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.
Relevant code paths:
- Rewrite rule exposing the endpoint:
- phpmyfaq/.htaccess: RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]
- Controller implementation:
- phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php → backup()
- No call to hasValidToken(), userIsAuthenticated(), or any permission check
- Backup creation:
- phpmyfaq/src/phpMyFAQ/Setup/Update.php → createConfigBackup()
- Writes the ZIP into the config directory and returns a public URL under content/core/config/
PoC
Replace BASE_URL with your instance URL.
1) Trigger config backup generation without authentication:
BASE_URL="http://localhost"
curl -i -X POST "${BASE_URL}/api/setup/backup" \
-H "Content-Type: text/plain" \
--data "4.1.0-RC"
Expected result: 200 OK with JSON containing backupFile.
2) Copy the backupFile URL from the JSON response and download it (still without authentication):
# Example (replace with the exact URL returned in step 1)
curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip
3) Verify sensitive content exists in the ZIP:
unzip -l phpmyfaq-config-backup.zip
unzip -p phpmyfaq-config-backup.zip database.php
Observed: database.php is included and contains DB host/user/password.
Impact
- Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.
- Who is impacted: Any internet-exposed phpMyFAQ installation where the default
.htaccessrewrite rules are active and the endpoint is reachable. - Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-alpha"
},
{
"last_affected": "4.1.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69200"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T15:31:19Z",
"nvd_published_at": "2025-12-29T16:15:43Z",
"severity": "HIGH"
},
"details": "### Summary\nAn unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise.\n\n### Details\nThe endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an \u201cinstalled version\u201d string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.\n\nRelevant code paths:\n- Rewrite rule exposing the endpoint:\n - `phpmyfaq/.htaccess`: `RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]`\n- Controller implementation:\n - `phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php` \u2192 `backup()`\n - No call to `hasValidToken()`, `userIsAuthenticated()`, or any permission check\n- Backup creation:\n - `phpmyfaq/src/phpMyFAQ/Setup/Update.php` \u2192 `createConfigBackup()`\n - Writes the ZIP into the config directory and returns a public URL under `content/core/config/`\n\n### PoC\nReplace `BASE_URL` with your instance URL.\n\n1) Trigger config backup generation without authentication:\n\n```bash\nBASE_URL=\"http://localhost\"\ncurl -i -X POST \"${BASE_URL}/api/setup/backup\" \\\n -H \"Content-Type: text/plain\" \\\n --data \"4.1.0-RC\"\n```\n\nExpected result: `200 OK` with JSON containing `backupFile`.\n\n2) Copy the `backupFile` URL from the JSON response and download it (still without authentication):\n\n```bash\n# Example (replace with the exact URL returned in step 1)\ncurl -i \"http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip\" -o phpmyfaq-config-backup.zip\n```\n\n3) Verify sensitive content exists in the ZIP:\n\n```bash\nunzip -l phpmyfaq-config-backup.zip\nunzip -p phpmyfaq-config-backup.zip database.php\n```\n\nObserved: `database.php` is included and contains DB host/user/password.\n\n### Impact\n- Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.\n- Who is impacted: Any internet-exposed phpMyFAQ installation where the default `.htaccess` rewrite rules are active and the endpoint is reachable.\n- Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.",
"id": "GHSA-9cg9-4h4f-j6fg",
"modified": "2025-12-30T15:31:19Z",
"published": "2025-12-30T15:31:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69200"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ has unauthenticated config backup download via /api/setup/backup"
}
GHSA-F2VV-H5X4-57GR
Vulnerability from github – Published: 2021-02-10 02:32 – Updated: 2021-10-05 16:12Impact
Leak of information via Store-API
Patches
We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.
https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351
Workarounds
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
For more information
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.5.0"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-10T02:17:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nLeak of information via Store-API\n\n### Patches\nWe recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\nThe vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.\n\nhttps://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021",
"id": "GHSA-f2vv-h5x4-57gr",
"modified": "2021-10-05T16:12:44Z",
"published": "2021-02-10T02:32:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/platform"
},
{
"type": "WEB",
"url": "https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/shopware/platform"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Leak of information via Store-API"
}
GHSA-G67V-GQ6F-P8X3
Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46WAVLINK WN551K1'live_mfg.shtml enables attackers to obtain sensitive router information.
{
"affected": [],
"aliases": [
"CVE-2024-38895"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-24T21:15:26Z",
"severity": "MODERATE"
},
"details": "WAVLINK WN551K1\u0027live_mfg.shtml enables attackers to obtain sensitive router information.",
"id": "GHSA-g67v-gq6f-p8x3",
"modified": "2024-07-03T18:46:35Z",
"published": "2024-06-24T21:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38895"
},
{
"type": "WEB",
"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/live_mfg.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H27M-3QW8-3PW8
Vulnerability from github – Published: 2025-07-23 15:47 – Updated: 2025-07-25 16:23Impact
Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the /api/v2.0/users endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the q URL parameter allowed the administrator to filter users by any column, and the filter password=~ could be abused to leak out a user's password hash character by character.
An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information.
Patches
No available
Workarounds
NA
References
Credit
alex@elttam.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.13.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0-rc1.1"
},
{
"fixed": "2.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0-rc1.0.20250331071157-dce7d9f5cffb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30086"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-202"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-23T15:47:31Z",
"nvd_published_at": "2025-07-25T15:15:26Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAdministrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users\u0027 password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user\u0027s password hash character by character.\n\nAn attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users\u0027 password hashes and salts. All endpoints that support the `q` URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information. \n\n\n### Patches\nNo available\n\n### Workarounds\nNA\n\n### References\n\n### Credit\nalex@elttam.com",
"id": "GHSA-h27m-3qw8-3pw8",
"modified": "2025-07-25T16:23:52Z",
"published": "2025-07-23T15:47:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30086"
},
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702c"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
},
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/releases"
},
{
"type": "WEB",
"url": "https://goharbor.io/blog"
},
{
"type": "WEB",
"url": "https://www.elttam.com/blog/plormbing-your-django-orm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possible ORM Leak Vulnerability in the Harbor"
}
GHSA-HRVV-3GC2-4CQX
Vulnerability from github – Published: 2024-10-04 12:31 – Updated: 2026-06-03 15:30Cleartext Storage of Sensitive Information vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data.This issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.
{
"affected": [],
"aliases": [
"CVE-2024-6400"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-04T12:15:12Z",
"severity": "HIGH"
},
"details": "Cleartext Storage of Sensitive Information vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data.This issue solved in versions 1.21.10,\u00a01.23.01,\u00a01.23.08, 1.23.11 and 1.24.03.",
"id": "GHSA-hrvv-3gc2-4cqx",
"modified": "2026-06-03T15:30:35Z",
"published": "2024-10-04T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6400"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1611"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1611"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
This is a complex topic. See the [REF-1492] for a good discussion of best practices.
No CAPEC attack patterns related to this CWE.