CWE-598
AllowedUse of HTTP Request With Sensitive Query String
Abstraction: Variant · Status: Draft
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
139 vulnerabilities reference this CWE, most recent first.
GHSA-FX5H-WV8R-5J9Q
Vulnerability from github – Published: 2026-07-08 15:32 – Updated: 2026-07-08 15:32Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.
{
"affected": [],
"aliases": [
"CVE-2026-58656"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T14:17:20Z",
"severity": "HIGH"
},
"details": "Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.",
"id": "GHSA-fx5h-wv8r-5j9q",
"modified": "2026-07-08T15:32:01Z",
"published": "2026-07-08T15:32:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-hqm9-5xxw-4qxp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58656"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/grav-api-plugin-cross-origin-admin-account-takeover-via-cors-wildcard-and-jwt-query-parameter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G2QJ-PRGH-4G9R
Vulnerability from github – Published: 2026-04-01 23:36 – Updated: 2026-04-27 16:20Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback
Summary
The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs.
Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer.
Affected Component
- Repository:
github.com/nhost/nhost - Service:
services/auth - File:
services/auth/go/controller/sign_in_provider_callback_get.go - Function:
signinProviderProviderCallback(lines 257-261)
Root Cause
In sign_in_provider_callback_get.go:257-261, after successful OAuth sign-in, the refresh token is appended as a URL query parameter:
if session != nil {
values := redirectTo.Query()
values.Add("refreshToken", session.RefreshToken)
redirectTo.RawQuery = values.Encode()
}
This results in a redirect like:
HTTP/1.1 302 Found
Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890
Proof of Concept
Step 1: Initiate OAuth login
GET /signin/provider/github?redirectTo=https://myapp.com/callback
Step 2: Complete OAuth flow with provider
Step 3: Auth service redirects with token in URL
HTTP/1.1 302 Found
Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890
Step 4: Token is now visible in owned infrastructure and services:
Browser History:
# User's browser history now contains the refresh token
HTTP Referer Header:
# If the callback page loads ANY external resource (image, script, etc.):
GET /resource.js HTTP/1.1
Host: cdn.example.com
Referer: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-...
# Note: modern browsers default to strict-origin-when-cross-origin policy,
# which strips query parameters from cross-origin Referer headers.
# Additionally, the Referer is only sent to services integrated by the
# application developer (analytics, CDNs, etc.), not arbitrary third parties.
Server Access Logs:
# Reverse proxy, CDN, or load balancer logs on owned infrastructure:
2026-03-08 12:00:00 GET /callback?refreshToken=a1b2c3d4-e5f6-... 200
Step 5: Attacker uses stolen refresh token
# Exchange stolen refresh token for new access token
curl -X POST https://auth.nhost.run/v1/token \
-H 'Content-Type: application/json' \
-d '{"refreshToken": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}'
# Note: refresh tokens are one-time use, so this only works if the
# legitimate client has not already consumed the token and if the attacker has
# compromised your infrastructure to get access to this information
Impact
-
Session Hijacking: Anyone who obtains the token before it is consumed by the legitimate client can generate new access tokens, though the refresh token is one-time use and cannot be reused after consumption.
-
Leak Vectors: URL query parameters are visible in owned infrastructure and integrated services:
- Browser history (local access)
- HTTP Referer headers (mitigated by modern browser default referrer policies; only sent to developer-integrated services)
- Server access logs (owned infrastructure)
-
Proxy/CDN/WAF logs (owned infrastructure)
-
Affects All OAuth Providers: Every OAuth provider flow (GitHub, Google, Apple, etc.) goes through the same callback handler.
Fix
Implemented PKCE (Proof Key for Code Exchange) for the OAuth flow. With PKCE, the authorization code cannot be exchanged without the code_verifier that only the original client possesses, preventing token misuse even if the URL is logged.
See: https://docs.nhost.io/products/auth/pkce/
Resources
- OWASP: Session Management - Token Transport: "Session tokens should not be transported in the URL"
- RFC 6749 Section 10.3: "Access tokens and refresh tokens MUST NOT be included in the redirect URI"
- CWE-598: Use of GET Request Method With Sensitive Query Strings
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nhost/nhost"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260330133707-294954e0fc3a"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34969"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:36:10Z",
"nvd_published_at": "2026-04-06T16:16:38Z",
"severity": "LOW"
},
"details": "# Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback\n\n## Summary\n\nThe auth service\u0027s OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs.\n\nNote that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer.\n\n## Affected Component\n\n- **Repository**: `github.com/nhost/nhost`\n- **Service**: `services/auth`\n- **File**: `services/auth/go/controller/sign_in_provider_callback_get.go`\n- **Function**: `signinProviderProviderCallback` (lines 257-261)\n\n## Root Cause\n\nIn `sign_in_provider_callback_get.go:257-261`, after successful OAuth sign-in, the refresh token is appended as a URL query parameter:\n\n```go\nif session != nil {\n values := redirectTo.Query()\n values.Add(\"refreshToken\", session.RefreshToken)\n redirectTo.RawQuery = values.Encode()\n}\n```\n\nThis results in a redirect like:\n```\nHTTP/1.1 302 Found\nLocation: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890\n```\n\n## Proof of Concept\n\n### Step 1: Initiate OAuth login\n```\nGET /signin/provider/github?redirectTo=https://myapp.com/callback\n```\n\n### Step 2: Complete OAuth flow with provider\n\n### Step 3: Auth service redirects with token in URL\n```\nHTTP/1.1 302 Found\nLocation: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890\n```\n\n### Step 4: Token is now visible in owned infrastructure and services:\n\n**Browser History:**\n```\n# User\u0027s browser history now contains the refresh token\n```\n\n**HTTP Referer Header:**\n```\n# If the callback page loads ANY external resource (image, script, etc.):\nGET /resource.js HTTP/1.1\nHost: cdn.example.com\nReferer: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-...\n# Note: modern browsers default to strict-origin-when-cross-origin policy,\n# which strips query parameters from cross-origin Referer headers.\n# Additionally, the Referer is only sent to services integrated by the\n# application developer (analytics, CDNs, etc.), not arbitrary third parties.\n```\n\n**Server Access Logs:**\n```\n# Reverse proxy, CDN, or load balancer logs on owned infrastructure:\n2026-03-08 12:00:00 GET /callback?refreshToken=a1b2c3d4-e5f6-... 200\n```\n\n### Step 5: Attacker uses stolen refresh token\n```bash\n# Exchange stolen refresh token for new access token\ncurl -X POST https://auth.nhost.run/v1/token \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"refreshToken\": \"a1b2c3d4-e5f6-7890-abcd-ef1234567890\"}\u0027\n\n# Note: refresh tokens are one-time use, so this only works if the\n# legitimate client has not already consumed the token and if the attacker has\n# compromised your infrastructure to get access to this information\n```\n\n## Impact\n\n1. **Session Hijacking**: Anyone who obtains the token before it is consumed by the legitimate client can generate new access tokens, though the refresh token is one-time use and cannot be reused after consumption.\n\n2. **Leak Vectors**: URL query parameters are visible in owned infrastructure and integrated services:\n - Browser history (local access)\n - HTTP Referer headers (mitigated by modern browser default referrer policies; only sent to developer-integrated services)\n - Server access logs (owned infrastructure)\n - Proxy/CDN/WAF logs (owned infrastructure)\n\n3. **Affects All OAuth Providers**: Every OAuth provider flow (GitHub, Google, Apple, etc.) goes through the same callback handler.\n\n## Fix\n\nImplemented PKCE (Proof Key for Code Exchange) for the OAuth flow. With PKCE, the authorization code cannot be exchanged without the `code_verifier` that only the original client possesses, preventing token misuse even if the URL is logged.\n\nSee: https://docs.nhost.io/products/auth/pkce/\n\n## Resources\n\n- OWASP: Session Management - Token Transport: \"Session tokens should not be transported in the URL\"\n- RFC 6749 Section 10.3: \"Access tokens and refresh tokens MUST NOT be included in the redirect URI\"\n- CWE-598: Use of GET Request Method With Sensitive Query Strings\n- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"id": "GHSA-g2qj-prgh-4g9r",
"modified": "2026-04-27T16:20:58Z",
"published": "2026-04-01T23:36:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34969"
},
{
"type": "WEB",
"url": "https://docs.nhost.io/products/auth/pkce"
},
{
"type": "PACKAGE",
"url": "https://github.com/nhost/nhost"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback"
}
GHSA-GCVM-C75M-H4P4
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-10 21:35Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.openmeetings:openmeetings-parent"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.3"
},
{
"fixed": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34020"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T21:24:43Z",
"nvd_published_at": "2026-04-09T16:16:27Z",
"severity": "HIGH"
},
"details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters.\u00a0Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
"id": "GHSA-gcvm-c75m-h4p4",
"modified": "2026-04-10T21:35:15Z",
"published": "2026-04-09T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34020"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/openmeetings"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings "
}
GHSA-GJ2H-2FPW-FHV9
Vulnerability from github – Published: 2026-07-02 20:16 – Updated: 2026-07-02 20:16Summary
UForm and UAuthForm render a server-side <form> element with no method and no action attribute, relying on a hydrated @submit.prevent handler to intercept submission. If a user submits the form before Vue hydration has attached the handler (autofill plus Enter on a slow network, JS bundle blocked by CSP or CDN failure, etc.), the browser performs the native default: a GET to the current URL with every named field, including <input type="password">, serialised into the query string.
Details
src/runtime/components/Form.vue (around the template's <form> element) emits:
<component
:is="parentBus ? 'div' : 'form'"
:id="formId"
ref="formRef"
:class="ui({ class: [uiProp?.base, props.class] })"
@submit.prevent="onSubmitWrapper"
>
No method, no action. @submit.prevent is the only thing stopping native submission, and it only exists after hydration. UAuthForm composes UForm and inherits the same shape.
The SSR snapshot of UAuthForm (test/components/__snapshots__/AuthForm.spec.ts.snap) shows the rendered markup, with <input type="password" name="password"> inside a <form> that has no method.
Proof of concept
Reported by @nimonian:
- Create a minimal Nuxt app with a
UAuthForm. - Build for production and visit in a browser with network throttling at 4G or slower.
- Enter credentials.
- Submit (or let autofill + Enter fire before hydration).
The URL becomes /login?email=…&password=…. Reproducible deterministically in Playwright by triggering submit immediately on load.
Impact
Any application using UAuthForm (or UForm with credential-shaped fields) as documented. The cleartext password lands in:
- the address bar,
window.history,- the
Refererheader of every same-origin subresource fetched from the resulting URL, - access logs of any reverse proxy, CDN, or WAF that records request URLs.
Patch
Default the rendered <form> to method="post" so the pre-hydration fallback submits as POST rather than GET. Vue's @submit.prevent still intercepts the hydrated case; the attribute only matters in the race window. Applications that explicitly want native GET submission can opt back in by passing method="get".
Credit
Reported by @nimonian. Originally filed as GHSA-92g7-2fpq-hmq8 against nuxt/nuxt; moved here because the affected code lives in @nuxt/ui.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nuxt/ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:16:12Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n`UForm` and `UAuthForm` render a server-side `\u003cform\u003e` element with no `method` and no `action` attribute, relying on a hydrated `@submit.prevent` handler to intercept submission. If a user submits the form before Vue hydration has attached the handler (autofill plus Enter on a slow network, JS bundle blocked by CSP or CDN failure, etc.), the browser performs the native default: a `GET` to the current URL with every named field, including `\u003cinput type=\"password\"\u003e`, serialised into the query string.\n\n### Details\n\n`src/runtime/components/Form.vue` (around the template\u0027s `\u003cform\u003e` element) emits:\n\n```vue\n\u003ccomponent\n :is=\"parentBus ? \u0027div\u0027 : \u0027form\u0027\"\n :id=\"formId\"\n ref=\"formRef\"\n :class=\"ui({ class: [uiProp?.base, props.class] })\"\n @submit.prevent=\"onSubmitWrapper\"\n\u003e\n```\n\nNo `method`, no `action`. `@submit.prevent` is the only thing stopping native submission, and it only exists after hydration. `UAuthForm` composes `UForm` and inherits the same shape.\n\nThe SSR snapshot of `UAuthForm` (`test/components/__snapshots__/AuthForm.spec.ts.snap`) shows the rendered markup, with `\u003cinput type=\"password\" name=\"password\"\u003e` inside a `\u003cform\u003e` that has no `method`.\n\n### Proof of concept\n\nReported by @nimonian:\n\n1. Create a minimal Nuxt app with a `UAuthForm`.\n2. Build for production and visit in a browser with network throttling at 4G or slower.\n3. Enter credentials.\n4. Submit (or let autofill + Enter fire before hydration).\n\nThe URL becomes `/login?email=\u2026\u0026password=\u2026`. Reproducible deterministically in Playwright by triggering submit immediately on `load`.\n\n### Impact\n\nAny application using `UAuthForm` (or `UForm` with credential-shaped fields) as documented. The cleartext password lands in:\n\n- the address bar,\n- `window.history`,\n- the `Referer` header of every same-origin subresource fetched from the resulting URL,\n- access logs of any reverse proxy, CDN, or WAF that records request URLs.\n\n### Patch\n\nDefault the rendered `\u003cform\u003e` to `method=\"post\"` so the pre-hydration fallback submits as POST rather than GET. Vue\u0027s `@submit.prevent` still intercepts the hydrated case; the attribute only matters in the race window. Applications that explicitly want native GET submission can opt back in by passing `method=\"get\"`.\n\n### Credit\n\nReported by @nimonian. Originally filed as `GHSA-92g7-2fpq-hmq8` against `nuxt/nuxt`; moved here because the affected code lives in `@nuxt/ui`.",
"id": "GHSA-gj2h-2fpw-fhv9",
"modified": "2026-07-02T20:16:12Z",
"published": "2026-07-02T20:16:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/ui/security/advisories/GHSA-gj2h-2fpw-fhv9"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/ui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration"
}
GHSA-HGPQ-GF6R-4VR6
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources.
{
"affected": [],
"aliases": [
"CVE-2017-3185"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-16T02:29:00Z",
"severity": "CRITICAL"
},
"details": "ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser\u0027s history, referrers, web logs, and other sources.",
"id": "GHSA-hgpq-gf6r-4vr6",
"modified": "2022-05-13T01:36:45Z",
"published": "2022-05-13T01:36:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3185"
},
{
"type": "WEB",
"url": "https://twitter.com/Hfuhs/status/839252357221330944"
},
{
"type": "WEB",
"url": "https://twitter.com/hack3rsca/status/839599437907386368"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/355151"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96720/info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHVH-4RV2-P55M
Vulnerability from github – Published: 2026-02-23 12:31 – Updated: 2026-02-23 12:31An information exposure vulnerability exists in
Vulnerability in HCL Software ZIE for Web.
The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions
This issue affects ZIE for Web: v16.
{
"affected": [],
"aliases": [
"CVE-2025-59873"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-23T11:16:21Z",
"severity": "MODERATE"
},
"details": "An information exposure vulnerability exists in\n\nVulnerability in HCL Software ZIE for Web.\n\nThe application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions\n\nThis issue affects ZIE for Web: v16.",
"id": "GHSA-hhvh-4rv2-p55m",
"modified": "2026-02-23T12:31:30Z",
"published": "2026-02-23T12:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59873"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0128902"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HQF8-3W52-4344
Vulnerability from github – Published: 2024-08-02 00:31 – Updated: 2024-08-02 00:31Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.
{
"affected": [],
"aliases": [
"CVE-2024-32931"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-01T22:15:25Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.",
"id": "GHSA-hqf8-3w52-4344",
"modified": "2024-08-02T00:31:25Z",
"published": "2024-08-02T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32931"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HR3C-G4HC-C8WH
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-09-17 15:30An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter
{
"affected": [],
"aliases": [
"CVE-2025-50709"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T14:15:39Z",
"severity": "MODERATE"
},
"details": "An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter",
"id": "GHSA-hr3c-g4hc-c8wh",
"modified": "2025-09-17T15:30:36Z",
"published": "2025-09-17T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50709"
},
{
"type": "WEB",
"url": "https://github.com/mano257200/Perplexity-AI/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://github.com/mano257200/perplexity/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVR3-HX5M-G63G
Vulnerability from github – Published: 2025-04-30 21:31 – Updated: 2025-04-30 21:31: Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.
{
"affected": [],
"aliases": [
"CVE-2024-9877"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T19:15:54Z",
"severity": "MODERATE"
},
"details": ": Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.",
"id": "GHSA-hvr3-hx5m-g63g",
"modified": "2025-04-30T21:31:48Z",
"published": "2025-04-30T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9877"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000006\u0026LanguageCode=en\u0026DocumentPartId=PDF\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J46H-HW72-JXQH
Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-06-04 21:31Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
{
"affected": [],
"aliases": [
"CVE-2025-3943"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T13:15:57Z",
"severity": "MODERATE"
},
"details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.",
"id": "GHSA-j46h-hw72-jxqh",
"modified": "2025-06-04T21:31:10Z",
"published": "2025-05-22T15:34:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3943"
},
{
"type": "WEB",
"url": "https://docs.niagara-community.com/category/tech_bull"
},
{
"type": "WEB",
"url": "https://honeywell.com/us/en/product-security#security-notices"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
No CAPEC attack patterns related to this CWE.