Common Weakness Enumeration

CWE-598

Allowed

Use of HTTP Request With Sensitive Query String

Abstraction: Variant · Status: Draft

The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

139 vulnerabilities reference this CWE, most recent first.

GHSA-V828-G7RP-VVFC

Vulnerability from github – Published: 2025-10-06 09:30 – Updated: 2025-10-06 09:30
VLAI
Details

In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-06T07:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally.",
  "id": "GHSA-v828-g7rp-vvfc",
  "modified": "2025-10-06T09:30:19Z",
  "published": "2025-10-06T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58584"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGHQ-CM29-427C

Vulnerability from github – Published: 2025-11-05 21:31 – Updated: 2025-11-05 21:31
VLAI
Details

HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-05T19:15:51Z",
    "severity": "MODERATE"
  },
  "details": "HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure.  An HTTP GET method is used to process a request and includes sensitive information in the query string of that request.  An attacker could potentially access information or resources they were not intended to see.",
  "id": "GHSA-vghq-cm29-427c",
  "modified": "2025-11-05T21:31:02Z",
  "published": "2025-11-05T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31954"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0125011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5VG-8GX8-5CJF

Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-01 18:31
VLAI
Details

Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-37504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T16:16:30Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic.",
  "id": "GHSA-w5vg-8gx8-5cjf",
  "modified": "2026-05-01T18:31:24Z",
  "published": "2026-05-01T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37504"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/v2board/v2board"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFG8-V2XJ-62HM

Vulnerability from github – Published: 2025-10-03 18:31 – Updated: 2025-10-03 21:30
VLAI
Details

An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-56551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T17:15:47Z",
    "severity": "HIGH"
  },
  "details": "An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request.",
  "id": "GHSA-wfg8-v2xj-62hm",
  "modified": "2025-10-03T21:30:56Z",
  "published": "2025-10-03T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56551"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2025100001"
    },
    {
      "type": "WEB",
      "url": "https://i.imgur.com/4HF0cnP.png"
    },
    {
      "type": "WEB",
      "url": "https://i.imgur.com/qA6SAXO.png"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVVR-RXQ8-C379

Vulnerability from github – Published: 2024-10-14 09:30 – Updated: 2024-12-03 18:31
VLAI
Details

Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-14T08:15:02Z",
    "severity": "LOW"
  },
  "details": "Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH\u0027s Checkmk versions \u003c2.3.0p18, \u003c2.2.0p35 and \u003c2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks.",
  "id": "GHSA-wvvr-rxq8-c379",
  "modified": "2024-12-03T18:31:02Z",
  "published": "2024-10-14T09:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38863"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17096"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X4XH-MR6X-3F7C

Vulnerability from github – Published: 2024-04-02 12:30 – Updated: 2024-04-02 12:30
VLAI
Details

Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded.  This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.     The vulnerability is remediated in version 6.6.244. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T10:15:09Z",
    "severity": "LOW"
  },
  "details": "Rapid7\u0027s InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded.\u00a0 This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.\u00a0\u00a0\n\u00a0\nThe vulnerability is remediated in version 6.6.244.\u00a0\n\n",
  "id": "GHSA-x4xh-mr6x-3f7c",
  "modified": "2024-04-02T12:30:31Z",
  "published": "2024-04-02T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2745"
    },
    {
      "type": "WEB",
      "url": "https://docs.rapid7.com/release-notes/insightvm/20240327"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9MJ-9378-R98G

Vulnerability from github – Published: 2026-01-15 15:31 – Updated: 2026-01-15 15:31
VLAI
Details

Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T14:16:28Z",
    "severity": "MODERATE"
  },
  "details": "Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user\u0027s session and gain unauthorized access.",
  "id": "GHSA-x9mj-9378-r98g",
  "modified": "2026-01-15T15:31:20Z",
  "published": "2026-01-15T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22644"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9P5-W45C-7FFC

Vulnerability from github – Published: 2026-03-05 19:50 – Updated: 2026-03-06 00:58
VLAI
Summary
Gogs: Access tokens get exposed through URL params in API requests
Details

Summary

The Gogs API still accepts tokens in URL parameters such as token and access_token, which can leak through logs, browser history, and referrers.

Details

A static review shows that the API still checks tokens in the URL query before looking at headers:

  • internal/context/auth.go reads c.Query("token")
  • internal/context/auth.go falls back to c.Query("access_token")
  • internal/context/auth.go only checks the Authorization header when the query token is empty
  • internal/context/auth.go authenticates using that token and marks the request as token-authenticated

Token-authenticated requests are accepted by API routes through c.IsTokenAuth checks: - internal/route/api/v1/api.go

Impact

If tokens are sent in URLs such as /api/v1/user?token=..., they can leak in logs, browser or shell history, and referrer headers, and can be reused until revoked.

Recommended Fix

  • Authentication headers should be used exclusively for token transmission.
  • Token parameters should be blocked at the proxy or WAF level.
  • Query strings should be scrubbed from logs.
  • A strict referrer policy should be set.

Remediation

A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.13.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T19:50:35Z",
    "nvd_published_at": "2026-03-05T19:16:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe Gogs API still accepts tokens in URL parameters such as `token` and `access_token`, which can leak through logs, browser history, and referrers.\n\n### Details\n\nA static review shows that the API still checks tokens in the URL query before looking at headers:\n\n  - internal/context/auth.go reads `c.Query(\"token\")`\n  - internal/context/auth.go falls back to `c.Query(\"access_token\")`\n  - internal/context/auth.go only checks the `Authorization` header when the query token is empty\n  - internal/context/auth.go authenticates using that token and marks the request as token-authenticated\n\nToken-authenticated requests are accepted by API routes through `c.IsTokenAuth` checks:\n  - internal/route/api/v1/api.go\n\n### Impact\n\nIf tokens are sent in URLs such as `/api/v1/user?token=...`, they can leak in logs, browser or shell history, and referrer headers, and can be reused until revoked.\n\n### Recommended Fix\n\n- Authentication headers should be used exclusively for token transmission.\n- Token parameters should be blocked at the proxy or WAF level.\n- Query strings should be scrubbed from logs.\n- A strict referrer policy should be set.\n\n### Remediation\n\nA fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.",
  "id": "GHSA-x9p5-w45c-7ffc",
  "modified": "2026-03-06T00:58:07Z",
  "published": "2026-03-05T19:50:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: Access tokens get exposed through URL params in API requests"
}

GHSA-XWPR-8R3X-2877

Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2025-09-08 18:31
VLAI
Details

QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-28T11:15:32Z",
    "severity": "MODERATE"
  },
  "details": "QuickCMS sends password and login via GET Request. This allows a\u00a0local attacker with access to the victim\u0027s browser history to obtain the necessary credentials to log in as the user.\n\nThe vendor was notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
  "id": "GHSA-xwpr-8r3x-2877",
  "modified": "2025-09-08T18:31:27Z",
  "published": "2025-08-28T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54542"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2025/08/CVE-2025-54540"
    },
    {
      "type": "WEB",
      "url": "https://opensolution.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

No CAPEC attack patterns related to this CWE.