Common Weakness Enumeration

CWE-202

Allowed

Exposure of Sensitive Information Through Data Queries

Abstraction: Base · Status: Draft

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

59 vulnerabilities reference this CWE, most recent first.

GHSA-784Q-2FW8-CPW8

Vulnerability from github – Published: 2024-05-22 09:31 – Updated: 2024-05-22 09:31
VLAI
Details

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T07:15:12Z",
    "severity": "HIGH"
  },
  "details": "The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the \u0027nxs_getExpSettings\u0027 function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.",
  "id": "GHSA-784q-2fw8-cpw8",
  "modified": "2024-05-22T09:31:46Z",
  "published": "2024-05-22T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2088"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php#L620"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3084635/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php?contextall=1"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70724bc7-c1f4-4965-8bba-99b2ed21d34b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79HX-3FP8-HJ66

Vulnerability from github – Published: 2025-09-17 20:11 – Updated: 2025-09-26 16:18
VLAI
Summary
DragonFly vulnerable to arbitrary file read and write on a peer machine
Details

Impact

A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.

file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode)
if err != nil {
       return 0, err
}
defer file.Close()
if _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil {
       return 0, err
}
n, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length))

Patches

  • Dragonfy v2.1.0 and above.

Workarounds

There are no effective workarounds, beyond upgrading.

References

A third party security audit was performed by Trail of Bits, you can see the full report.

If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dragonflyoss/dragonfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "d7y.io/dragonfly/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T20:11:13Z",
    "nvd_published_at": "2025-09-17T20:15:37Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers\u2019 secret data and to gain remote code execution (RCE) capabilities on the peer\u2019s machine.\n\n```golang\nfile, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode)\nif err != nil {\n       return 0, err\n}\ndefer file.Close()\nif _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil {\n       return 0, err\n}\nn, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length))\n```\n\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
  "id": "GHSA-79hx-3fp8-hj66",
  "modified": "2025-09-26T16:18:51Z",
  "published": "2025-09-17T20:11:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59352"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dragonflyoss/dragonfly"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3961"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DragonFly vulnerable to arbitrary file read and write on a peer machine"
}

GHSA-7M85-P686-23RM

Vulnerability from github – Published: 2026-03-21 06:30 – Updated: 2026-03-21 06:30
VLAI
Details

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-21T04:17:27Z",
    "severity": "MODERATE"
  },
  "details": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can(\u0027manage_options\u0027)) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim\u0027s e-shot platform account.",
  "id": "GHSA-7m85-p686-23rm",
  "modified": "2026-03-21T06:30:25Z",
  "published": "2026-03-21T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3546"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-82GM-Q2VC-G3X3

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-05-14 00:01
VLAI
Details

A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker could exploit this vulnerability by sending a crafted API request to Cisco vManage as a lower-privileged user and gaining access to sensitive information that they would not normally be authorized to access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker could exploit this vulnerability by sending a crafted API request to Cisco vManage as a lower-privileged user and gaining access to sensitive information that they would not normally be authorized to access.",
  "id": "GHSA-82gm-q2vc-g3x3",
  "modified": "2022-05-14T00:01:19Z",
  "published": "2022-04-16T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20747"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-infodis-73sHJNEq"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-87XG-G898-RH5Q

Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32
VLAI
Details

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Exposure of Sensitive Information Through Data Queries vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-10T18:15:31Z",
    "severity": "HIGH"
  },
  "details": "Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Exposure of Sensitive Information Through Data Queries vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-87xg-g898-rh5q",
  "modified": "2025-06-10T18:32:32Z",
  "published": "2025-06-10T18:32:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36575"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000325679/dsa-2025-226"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CG9-4H4F-J6FG

Vulnerability from github – Published: 2025-12-30 15:31 – Updated: 2025-12-30 15:31
VLAI
Summary
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
Details

Summary

An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.

Details

The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.

Relevant code paths: - Rewrite rule exposing the endpoint: - phpmyfaq/.htaccess: RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA] - Controller implementation: - phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.phpbackup() - No call to hasValidToken(), userIsAuthenticated(), or any permission check - Backup creation: - phpmyfaq/src/phpMyFAQ/Setup/Update.phpcreateConfigBackup() - Writes the ZIP into the config directory and returns a public URL under content/core/config/

PoC

Replace BASE_URL with your instance URL.

1) Trigger config backup generation without authentication:

BASE_URL="http://localhost"
curl -i -X POST "${BASE_URL}/api/setup/backup" \
  -H "Content-Type: text/plain" \
  --data "4.1.0-RC"

Expected result: 200 OK with JSON containing backupFile.

2) Copy the backupFile URL from the JSON response and download it (still without authentication):

# Example (replace with the exact URL returned in step 1)
curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip

3) Verify sensitive content exists in the ZIP:

unzip -l phpmyfaq-config-backup.zip
unzip -p phpmyfaq-config-backup.zip database.php

Observed: database.php is included and contains DB host/user/password.

Impact

  • Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.
  • Who is impacted: Any internet-exposed phpMyFAQ installation where the default .htaccess rewrite rules are active and the endpoint is reachable.
  • Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-alpha"
            },
            {
              "last_affected": "4.1.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T15:31:19Z",
    "nvd_published_at": "2025-12-29T16:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise.\n\n### Details\nThe endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an \u201cinstalled version\u201d string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.\n\nRelevant code paths:\n- Rewrite rule exposing the endpoint:\n  - `phpmyfaq/.htaccess`: `RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]`\n- Controller implementation:\n  - `phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php` \u2192 `backup()`\n    - No call to `hasValidToken()`, `userIsAuthenticated()`, or any permission check\n- Backup creation:\n  - `phpmyfaq/src/phpMyFAQ/Setup/Update.php` \u2192 `createConfigBackup()`\n    - Writes the ZIP into the config directory and returns a public URL under `content/core/config/`\n\n### PoC\nReplace `BASE_URL` with your instance URL.\n\n1) Trigger config backup generation without authentication:\n\n```bash\nBASE_URL=\"http://localhost\"\ncurl -i -X POST \"${BASE_URL}/api/setup/backup\" \\\n  -H \"Content-Type: text/plain\" \\\n  --data \"4.1.0-RC\"\n```\n\nExpected result: `200 OK` with JSON containing `backupFile`.\n\n2) Copy the `backupFile` URL from the JSON response and download it (still without authentication):\n\n```bash\n# Example (replace with the exact URL returned in step 1)\ncurl -i \"http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip\" -o phpmyfaq-config-backup.zip\n```\n\n3) Verify sensitive content exists in the ZIP:\n\n```bash\nunzip -l phpmyfaq-config-backup.zip\nunzip -p phpmyfaq-config-backup.zip database.php\n```\n\nObserved: `database.php` is included and contains DB host/user/password.\n\n### Impact\n- Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.\n- Who is impacted: Any internet-exposed phpMyFAQ installation where the default `.htaccess` rewrite rules are active and the endpoint is reachable.\n- Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.",
  "id": "GHSA-9cg9-4h4f-j6fg",
  "modified": "2025-12-30T15:31:19Z",
  "published": "2025-12-30T15:31:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ has unauthenticated config backup download via /api/setup/backup"
}

GHSA-F2VV-H5X4-57GR

Vulnerability from github – Published: 2021-02-10 02:32 – Updated: 2021-10-05 16:12
VLAI
Summary
Leak of information via Store-API
Details

Impact

Leak of information via Store-API

Patches

We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.

https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351

Workarounds

For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

For more information

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.3.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-10T02:17:41Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nLeak of information via Store-API\n\n### Patches\nWe recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\nThe vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.\n\nhttps://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021",
  "id": "GHSA-f2vv-h5x4-57gr",
  "modified": "2021-10-05T16:12:44Z",
  "published": "2021-02-10T02:32:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/shopware/platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Leak of information via Store-API"
}

GHSA-G67V-GQ6F-P8X3

Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46
VLAI
Details

WAVLINK WN551K1'live_mfg.shtml enables attackers to obtain sensitive router information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T21:15:26Z",
    "severity": "MODERATE"
  },
  "details": "WAVLINK WN551K1\u0027live_mfg.shtml enables attackers to obtain sensitive router information.",
  "id": "GHSA-g67v-gq6f-p8x3",
  "modified": "2024-07-03T18:46:35Z",
  "published": "2024-06-24T21:33:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/live_mfg.shtml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H27M-3QW8-3PW8

Vulnerability from github – Published: 2025-07-23 15:47 – Updated: 2025-07-25 16:23
VLAI
Summary
Possible ORM Leak Vulnerability in the Harbor
Details

Impact

Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the /api/v2.0/users endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the q URL parameter allowed the administrator to filter users by any column, and the filter password=~ could be abused to leak out a user's password hash character by character.

An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information.

Patches

No available

Workarounds

NA

References

Credit

alex@elttam.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.13.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0-rc1.1"
            },
            {
              "fixed": "2.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0-rc1.0.20250331071157-dce7d9f5cffb"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-23T15:47:31Z",
    "nvd_published_at": "2025-07-25T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAdministrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users\u0027 password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user\u0027s password hash character by character.\n\nAn attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users\u0027 password hashes and salts. All endpoints that support the `q` URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information. \n\n\n### Patches\nNo available\n\n### Workarounds\nNA\n\n### References\n\n### Credit\nalex@elttam.com",
  "id": "GHSA-h27m-3qw8-3pw8",
  "modified": "2025-07-25T16:23:52Z",
  "published": "2025-07-23T15:47:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goharbor/harbor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/releases"
    },
    {
      "type": "WEB",
      "url": "https://goharbor.io/blog"
    },
    {
      "type": "WEB",
      "url": "https://www.elttam.com/blog/plormbing-your-django-orm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible ORM Leak Vulnerability in the Harbor"
}

GHSA-HRVV-3GC2-4CQX

Vulnerability from github – Published: 2024-10-04 12:31 – Updated: 2026-06-03 15:30
VLAI
Details

Cleartext Storage of Sensitive Information vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data.This issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-04T12:15:12Z",
    "severity": "HIGH"
  },
  "details": "Cleartext Storage of Sensitive Information vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data.This issue solved in versions 1.21.10,\u00a01.23.01,\u00a01.23.08, 1.23.11 and 1.24.03.",
  "id": "GHSA-hrvv-3gc2-4cqx",
  "modified": "2026-06-03T15:30:35Z",
  "published": "2024-10-04T12:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6400"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1611"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1611"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

No CAPEC attack patterns related to this CWE.