CWE-598
AllowedUse of HTTP Request With Sensitive Query String
Abstraction: Variant · Status: Draft
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
139 vulnerabilities reference this CWE, most recent first.
GHSA-6W7X-2WQ8-QRCF
Vulnerability from github – Published: 2026-03-09 09:30 – Updated: 2026-03-09 09:30An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.
{
"affected": [],
"aliases": [
"CVE-2025-41772"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T09:16:01Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.",
"id": "GHSA-6w7x-2wq8-qrcf",
"modified": "2026-03-09T09:30:30Z",
"published": "2026-03-09T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41772"
},
{
"type": "WEB",
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-735V-R5C6-6249
Vulnerability from github – Published: 2025-01-27 18:32 – Updated: 2025-01-27 18:32A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown function of the file /usr_account_set.cgi of the component HTTP GET Request Handler. The manipulation of the argument username/password leads to use of get request method with sensitive query strings. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers.
{
"affected": [],
"aliases": [
"CVE-2025-0730"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T17:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown function of the file /usr_account_set.cgi of the component HTTP GET Request Handler. The manipulation of the argument username/password leads to use of get request method with sensitive query strings. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers.",
"id": "GHSA-735v-r5c6-6249",
"modified": "2025-01-27T18:32:02Z",
"published": "2025-01-27T18:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0730"
},
{
"type": "WEB",
"url": "https://github.com/TheCyberDiver/Public-Disclosures-CVE-/blob/main/tp-link%20sensitive%20info%20in%20GET.md"
},
{
"type": "WEB",
"url": "https://static.tp-link.com/upload/beta/2025/202501/20250124/TL-SG108E(UN)%206.0_1.0.0%20Build%2020250124%20Rel.54920(Beta)_up.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.293508"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.293508"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.478465"
},
{
"type": "WEB",
"url": "https://www.tp-link.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7H7C-CPX6-6CG3
Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2021-12-02 00:01Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
{
"affected": [],
"aliases": [
"CVE-2021-36328"
],
"database_specific": {
"cwe_ids": [
"CWE-598",
"CWE-89"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.",
"id": "GHSA-7h7c-cpx6-6cg3",
"modified": "2021-12-02T00:01:05Z",
"published": "2021-12-01T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36328"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-in/000193697/dsa-2021-205-dell-emc-streaming-data-platform-security-update-for-third-party-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8379-8JJ9-C2JJ
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
{
"affected": [],
"aliases": [
"CVE-2017-8443"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-30T19:29:00Z",
"severity": "MODERATE"
},
"details": "In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.",
"id": "GHSA-8379-8jj9-c2jj",
"modified": "2022-05-13T01:14:31Z",
"published": "2022-05-13T01:14:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8443"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9PG3-25FQ-P6CC
Vulnerability from github – Published: 2026-06-10 22:13 – Updated: 2026-06-10 22:13internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at:
/ui/operators/<id>?new_key=<raw-token>&key_name=<name>
The raw API key ends up:
- in the browser's URL history
- in the Referer header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)
- in any reverse-proxy or load-balancer access log on the path (nginx default combined log captures the query string)
- in any structured log sink the operator's local browser-history backup tool ships out
Authorization: Bearer <token> headers go through the same hops without these problems because access logs typically don't capture request headers and the browser doesn't replay headers cross-origin.
Same handler also appends name (r.FormValue("name")) to the query string without url.QueryEscape, so an & in the operator-supplied key name corrupts query parsing and a \r\n in older proxies could split response headers.
Affected
All released versions up to v0.3.1.
Reproducer
As admin, create an API key via /ui/operators/<id>/api-keys (form POST). The 303 Location header carries the raw token in the query string. Open browser DevTools → Network → response headers; or check the reverse-proxy access log; or check the operator-detail page's Referer-emitting fetches.
Suggested fix
Stash the raw key in a one-shot server-side flash storage (e.g., a row in operator_sessions keyed by session token, with a one_shot_token column and consumed_at) or in a short-lived signed cookie. Render the key once inline on the detail page after the redirect, and clear the storage on render. Pattern mirrors the recovery-codes display in the TOTP flow.
If the flash-storage refactor is too invasive, the minimal fix is to render the key inline via a POST → 200 OK with HTML (no redirect), losing the post-redirect-get idiom but eliminating the URL exposure.
Also fix name query encoding with url.QueryEscape regardless of which fix shape lands.
CVSS estimate
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N — 5.5 (medium). AV:L because realistic exploit requires log-read access on shared infrastructure (proxy, CDN, browser-history backup) the operator's session touches.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/juev/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47768"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-532",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T22:13:45Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`internal/web/operators.go:251` \u2014 after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator\u0027s browser at:\n\n /ui/operators/\u003cid\u003e?new_key=\u003craw-token\u003e\u0026key_name=\u003cname\u003e\n\nThe raw API key ends up:\n- in the browser\u0027s URL history\n- in the `Referer` header on every cross-origin asset the detail page loads (any third-party SVG/CSS/JS resource the layout pulls in)\n- in any reverse-proxy or load-balancer access log on the path (nginx default `combined` log captures the query string)\n- in any structured log sink the operator\u0027s local browser-history backup tool ships out\n\n`Authorization: Bearer \u003ctoken\u003e` headers go through the same hops without these problems because access logs typically don\u0027t capture request headers and the browser doesn\u0027t replay headers cross-origin.\n\nSame handler also appends `name` (`r.FormValue(\"name\")`) to the query string without `url.QueryEscape`, so an `\u0026` in the operator-supplied key name corrupts query parsing and a `\\r\\n` in older proxies could split response headers.\n\n## Affected\nAll released versions up to v0.3.1.\n\n## Reproducer\nAs admin, create an API key via `/ui/operators/\u003cid\u003e/api-keys` (form POST). The 303 Location header carries the raw token in the query string. Open browser DevTools \u2192 Network \u2192 response headers; or check the reverse-proxy access log; or check the operator-detail page\u0027s `Referer`-emitting fetches.\n\n## Suggested fix\nStash the raw key in a one-shot server-side flash storage (e.g., a row in `operator_sessions` keyed by session token, with a `one_shot_token` column and `consumed_at`) or in a short-lived signed cookie. Render the key once inline on the detail page after the redirect, and clear the storage on render. Pattern mirrors the recovery-codes display in the TOTP flow.\n\nIf the flash-storage refactor is too invasive, the minimal fix is to render the key inline via a `POST` \u2192 `200 OK with HTML` (no redirect), losing the post-redirect-get idiom but eliminating the URL exposure.\n\nAlso fix `name` query encoding with `url.QueryEscape` regardless of which fix shape lands.\n\n## CVSS estimate\nAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N \u2014 5.5 (medium). AV:L because realistic exploit requires log-read access on shared infrastructure (proxy, CDN, browser-history backup) the operator\u0027s session touches.",
"id": "GHSA-9pg3-25fq-p6cc",
"modified": "2026-06-10T22:13:45Z",
"published": "2026-06-10T22:13:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-9pg3-25fq-p6cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/juev/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)"
}
GHSA-9VC3-VM42-FJHM
Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 17:06A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 4.1.18"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3637"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T17:06:27Z",
"nvd_published_at": "2025-04-25T15:15:37Z",
"severity": "LOW"
},
"details": "A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site\u0027s URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.",
"id": "GHSA-9vc3-vm42-fjhm",
"modified": "2025-04-25T17:06:27Z",
"published": "2025-04-25T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3637"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/052007b7324ef24aebe36a876ffa4fa97fac4f81"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3637"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359727"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=467599"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-65356"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle\u0027s mod_data edit/delete pages pass CSRF token in GET parameter"
}
GHSA-CPMJ-JRPC-57WC
Vulnerability from github – Published: 2026-01-12 06:30 – Updated: 2026-01-14 18:31Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.
{
"affected": [],
"aliases": [
"CVE-2025-69270"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-12T05:16:10Z",
"severity": "LOW"
},
"details": "Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.",
"id": "GHSA-cpmj-jrpc-57wc",
"modified": "2026-01-14T18:31:18Z",
"published": "2026-01-12T06:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69270"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F2Q6-8FX7-GJF8
Vulnerability from github – Published: 2026-05-29 12:31 – Updated: 2026-05-29 12:31A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-10078"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T11:16:16Z",
"severity": "LOW"
},
"details": "A flaw was found in the Quay config-tool\u0027s GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.",
"id": "GHSA-f2q6-8fx7-gjf8",
"modified": "2026-05-29T12:31:25Z",
"published": "2026-05-29T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10078"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-10078"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483168"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F347-P5G7-4GG7
Vulnerability from github – Published: 2023-11-27 15:30 – Updated: 2023-11-27 15:30Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.
{
"affected": [],
"aliases": [
"CVE-2023-6287"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-532",
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-27T14:15:08Z",
"severity": "LOW"
},
"details": "Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.",
"id": "GHSA-f347-p5g7-4gg7",
"modified": "2023-11-27T15:30:56Z",
"published": "2023-11-27T15:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6287"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/9554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFQ7-HH2J-R24P
Vulnerability from github – Published: 2026-07-14 19:31 – Updated: 2026-07-14 19:31Description
Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.
Resolution
Upgrade auth0/symfony to version 5.9.0 or greater.
Acknowledgement
Okta would like to thank Alex Yeara for their discovery.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.0"
},
"package": {
"ecosystem": "Packagist",
"name": "auth0/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-BETA0"
},
{
"fixed": "5.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50157"
],
"database_specific": {
"cwe_ids": [
"CWE-598",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T19:31:23Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\nApplications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.\n\n### Resolution\nUpgrade auth0/symfony to version 5.9.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Alex Yeara for their discovery.",
"id": "GHSA-ffq7-hh2j-r24p",
"modified": "2026-07-14T19:31:23Z",
"published": "2026-07-14T19:31:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-ffq7-hh2j-r24p"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/commit/172d1d3e0b9d1e93610d786118389a811179bc8a"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/commit/bd1851b14ae15e99cbe87c96496cf25da025288a"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/symfony"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/releases/tag/5.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter"
}
Mitigation
When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
No CAPEC attack patterns related to this CWE.