Common Weakness Enumeration

CWE-598

Allowed

Use of HTTP Request With Sensitive Query String

Abstraction: Variant · Status: Draft

The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

139 vulnerabilities reference this CWE, most recent first.

GHSA-FX5H-WV8R-5J9Q

Vulnerability from github – Published: 2026-07-08 15:32 – Updated: 2026-07-08 15:32
VLAI
Details

Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T14:17:20Z",
    "severity": "HIGH"
  },
  "details": "Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.",
  "id": "GHSA-fx5h-wv8r-5j9q",
  "modified": "2026-07-08T15:32:01Z",
  "published": "2026-07-08T15:32:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-hqm9-5xxw-4qxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58656"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/grav-api-plugin-cross-origin-admin-account-takeover-via-cors-wildcard-and-jwt-query-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G2QJ-PRGH-4G9R

Vulnerability from github – Published: 2026-04-01 23:36 – Updated: 2026-04-27 16:20
VLAI
Summary
Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback
Details

Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback

Summary

The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs.

Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer.

Affected Component

  • Repository: github.com/nhost/nhost
  • Service: services/auth
  • File: services/auth/go/controller/sign_in_provider_callback_get.go
  • Function: signinProviderProviderCallback (lines 257-261)

Root Cause

In sign_in_provider_callback_get.go:257-261, after successful OAuth sign-in, the refresh token is appended as a URL query parameter:

if session != nil {
    values := redirectTo.Query()
    values.Add("refreshToken", session.RefreshToken)
    redirectTo.RawQuery = values.Encode()
}

This results in a redirect like:

HTTP/1.1 302 Found
Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890

Proof of Concept

Step 1: Initiate OAuth login

GET /signin/provider/github?redirectTo=https://myapp.com/callback

Step 2: Complete OAuth flow with provider

Step 3: Auth service redirects with token in URL

HTTP/1.1 302 Found
Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890

Step 4: Token is now visible in owned infrastructure and services:

Browser History:

# User's browser history now contains the refresh token

HTTP Referer Header:

# If the callback page loads ANY external resource (image, script, etc.):
GET /resource.js HTTP/1.1
Host: cdn.example.com
Referer: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-...
# Note: modern browsers default to strict-origin-when-cross-origin policy,
# which strips query parameters from cross-origin Referer headers.
# Additionally, the Referer is only sent to services integrated by the
# application developer (analytics, CDNs, etc.), not arbitrary third parties.

Server Access Logs:

# Reverse proxy, CDN, or load balancer logs on owned infrastructure:
2026-03-08 12:00:00 GET /callback?refreshToken=a1b2c3d4-e5f6-... 200

Step 5: Attacker uses stolen refresh token

# Exchange stolen refresh token for new access token
curl -X POST https://auth.nhost.run/v1/token \
  -H 'Content-Type: application/json' \
  -d '{"refreshToken": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}'

# Note: refresh tokens are one-time use, so this only works if the
# legitimate client has not already consumed the token and if the attacker has
# compromised your infrastructure to get access to this information

Impact

  1. Session Hijacking: Anyone who obtains the token before it is consumed by the legitimate client can generate new access tokens, though the refresh token is one-time use and cannot be reused after consumption.

  2. Leak Vectors: URL query parameters are visible in owned infrastructure and integrated services:

  3. Browser history (local access)
  4. HTTP Referer headers (mitigated by modern browser default referrer policies; only sent to developer-integrated services)
  5. Server access logs (owned infrastructure)
  6. Proxy/CDN/WAF logs (owned infrastructure)

  7. Affects All OAuth Providers: Every OAuth provider flow (GitHub, Google, Apple, etc.) goes through the same callback handler.

Fix

Implemented PKCE (Proof Key for Code Exchange) for the OAuth flow. With PKCE, the authorization code cannot be exchanged without the code_verifier that only the original client possesses, preventing token misuse even if the URL is logged.

See: https://docs.nhost.io/products/auth/pkce/

Resources

  • OWASP: Session Management - Token Transport: "Session tokens should not be transported in the URL"
  • RFC 6749 Section 10.3: "Access tokens and refresh tokens MUST NOT be included in the redirect URI"
  • CWE-598: Use of GET Request Method With Sensitive Query Strings
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nhost/nhost"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260330133707-294954e0fc3a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-598"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:36:10Z",
    "nvd_published_at": "2026-04-06T16:16:38Z",
    "severity": "LOW"
  },
  "details": "# Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback\n\n## Summary\n\nThe auth service\u0027s OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs.\n\nNote that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer.\n\n## Affected Component\n\n- **Repository**: `github.com/nhost/nhost`\n- **Service**: `services/auth`\n- **File**: `services/auth/go/controller/sign_in_provider_callback_get.go`\n- **Function**: `signinProviderProviderCallback` (lines 257-261)\n\n## Root Cause\n\nIn `sign_in_provider_callback_get.go:257-261`, after successful OAuth sign-in, the refresh token is appended as a URL query parameter:\n\n```go\nif session != nil {\n    values := redirectTo.Query()\n    values.Add(\"refreshToken\", session.RefreshToken)\n    redirectTo.RawQuery = values.Encode()\n}\n```\n\nThis results in a redirect like:\n```\nHTTP/1.1 302 Found\nLocation: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890\n```\n\n## Proof of Concept\n\n### Step 1: Initiate OAuth login\n```\nGET /signin/provider/github?redirectTo=https://myapp.com/callback\n```\n\n### Step 2: Complete OAuth flow with provider\n\n### Step 3: Auth service redirects with token in URL\n```\nHTTP/1.1 302 Found\nLocation: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890\n```\n\n### Step 4: Token is now visible in owned infrastructure and services:\n\n**Browser History:**\n```\n# User\u0027s browser history now contains the refresh token\n```\n\n**HTTP Referer Header:**\n```\n# If the callback page loads ANY external resource (image, script, etc.):\nGET /resource.js HTTP/1.1\nHost: cdn.example.com\nReferer: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-...\n# Note: modern browsers default to strict-origin-when-cross-origin policy,\n# which strips query parameters from cross-origin Referer headers.\n# Additionally, the Referer is only sent to services integrated by the\n# application developer (analytics, CDNs, etc.), not arbitrary third parties.\n```\n\n**Server Access Logs:**\n```\n# Reverse proxy, CDN, or load balancer logs on owned infrastructure:\n2026-03-08 12:00:00 GET /callback?refreshToken=a1b2c3d4-e5f6-... 200\n```\n\n### Step 5: Attacker uses stolen refresh token\n```bash\n# Exchange stolen refresh token for new access token\ncurl -X POST https://auth.nhost.run/v1/token \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"refreshToken\": \"a1b2c3d4-e5f6-7890-abcd-ef1234567890\"}\u0027\n\n# Note: refresh tokens are one-time use, so this only works if the\n# legitimate client has not already consumed the token and if the attacker has\n# compromised your infrastructure to get access to this information\n```\n\n## Impact\n\n1. **Session Hijacking**: Anyone who obtains the token before it is consumed by the legitimate client can generate new access tokens, though the refresh token is one-time use and cannot be reused after consumption.\n\n2. **Leak Vectors**: URL query parameters are visible in owned infrastructure and integrated services:\n   - Browser history (local access)\n   - HTTP Referer headers (mitigated by modern browser default referrer policies; only sent to developer-integrated services)\n   - Server access logs (owned infrastructure)\n   - Proxy/CDN/WAF logs (owned infrastructure)\n\n3. **Affects All OAuth Providers**: Every OAuth provider flow (GitHub, Google, Apple, etc.) goes through the same callback handler.\n\n## Fix\n\nImplemented PKCE (Proof Key for Code Exchange) for the OAuth flow. With PKCE, the authorization code cannot be exchanged without the `code_verifier` that only the original client possesses, preventing token misuse even if the URL is logged.\n\nSee: https://docs.nhost.io/products/auth/pkce/\n\n## Resources\n\n- OWASP: Session Management - Token Transport: \"Session tokens should not be transported in the URL\"\n- RFC 6749 Section 10.3: \"Access tokens and refresh tokens MUST NOT be included in the redirect URI\"\n- CWE-598: Use of GET Request Method With Sensitive Query Strings\n- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
  "id": "GHSA-g2qj-prgh-4g9r",
  "modified": "2026-04-27T16:20:58Z",
  "published": "2026-04-01T23:36:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34969"
    },
    {
      "type": "WEB",
      "url": "https://docs.nhost.io/products/auth/pkce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nhost/nhost"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback"
}

GHSA-GCVM-C75M-H4P4

Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-10 21:35
VLAI
Summary
Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings
Details

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact

This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.openmeetings:openmeetings-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.3"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T21:24:43Z",
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "HIGH"
  },
  "details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters.\u00a0Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
  "id": "GHSA-gcvm-c75m-h4p4",
  "modified": "2026-04-10T21:35:15Z",
  "published": "2026-04-09T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34020"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/openmeetings"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings "
}

GHSA-GJ2H-2FPW-FHV9

Vulnerability from github – Published: 2026-07-02 20:16 – Updated: 2026-07-02 20:16
VLAI
Summary
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Details

Summary

UForm and UAuthForm render a server-side <form> element with no method and no action attribute, relying on a hydrated @submit.prevent handler to intercept submission. If a user submits the form before Vue hydration has attached the handler (autofill plus Enter on a slow network, JS bundle blocked by CSP or CDN failure, etc.), the browser performs the native default: a GET to the current URL with every named field, including <input type="password">, serialised into the query string.

Details

src/runtime/components/Form.vue (around the template's <form> element) emits:

<component
  :is="parentBus ? 'div' : 'form'"
  :id="formId"
  ref="formRef"
  :class="ui({ class: [uiProp?.base, props.class] })"
  @submit.prevent="onSubmitWrapper"
>

No method, no action. @submit.prevent is the only thing stopping native submission, and it only exists after hydration. UAuthForm composes UForm and inherits the same shape.

The SSR snapshot of UAuthForm (test/components/__snapshots__/AuthForm.spec.ts.snap) shows the rendered markup, with <input type="password" name="password"> inside a <form> that has no method.

Proof of concept

Reported by @nimonian:

  1. Create a minimal Nuxt app with a UAuthForm.
  2. Build for production and visit in a browser with network throttling at 4G or slower.
  3. Enter credentials.
  4. Submit (or let autofill + Enter fire before hydration).

The URL becomes /login?email=…&password=…. Reproducible deterministically in Playwright by triggering submit immediately on load.

Impact

Any application using UAuthForm (or UForm with credential-shaped fields) as documented. The cleartext password lands in:

  • the address bar,
  • window.history,
  • the Referer header of every same-origin subresource fetched from the resulting URL,
  • access logs of any reverse proxy, CDN, or WAF that records request URLs.

Patch

Default the rendered <form> to method="post" so the pre-hydration fallback submits as POST rather than GET. Vue's @submit.prevent still intercepts the hydrated case; the attribute only matters in the race window. Applications that explicitly want native GET submission can opt back in by passing method="get".

Credit

Reported by @nimonian. Originally filed as GHSA-92g7-2fpq-hmq8 against nuxt/nuxt; moved here because the affected code lives in @nuxt/ui.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-598"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:16:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`UForm` and `UAuthForm` render a server-side `\u003cform\u003e` element with no `method` and no `action` attribute, relying on a hydrated `@submit.prevent` handler to intercept submission. If a user submits the form before Vue hydration has attached the handler (autofill plus Enter on a slow network, JS bundle blocked by CSP or CDN failure, etc.), the browser performs the native default: a `GET` to the current URL with every named field, including `\u003cinput type=\"password\"\u003e`, serialised into the query string.\n\n### Details\n\n`src/runtime/components/Form.vue` (around the template\u0027s `\u003cform\u003e` element) emits:\n\n```vue\n\u003ccomponent\n  :is=\"parentBus ? \u0027div\u0027 : \u0027form\u0027\"\n  :id=\"formId\"\n  ref=\"formRef\"\n  :class=\"ui({ class: [uiProp?.base, props.class] })\"\n  @submit.prevent=\"onSubmitWrapper\"\n\u003e\n```\n\nNo `method`, no `action`. `@submit.prevent` is the only thing stopping native submission, and it only exists after hydration. `UAuthForm` composes `UForm` and inherits the same shape.\n\nThe SSR snapshot of `UAuthForm` (`test/components/__snapshots__/AuthForm.spec.ts.snap`) shows the rendered markup, with `\u003cinput type=\"password\" name=\"password\"\u003e` inside a `\u003cform\u003e` that has no `method`.\n\n### Proof of concept\n\nReported by @nimonian:\n\n1. Create a minimal Nuxt app with a `UAuthForm`.\n2. Build for production and visit in a browser with network throttling at 4G or slower.\n3. Enter credentials.\n4. Submit (or let autofill + Enter fire before hydration).\n\nThe URL becomes `/login?email=\u2026\u0026password=\u2026`. Reproducible deterministically in Playwright by triggering submit immediately on `load`.\n\n### Impact\n\nAny application using `UAuthForm` (or `UForm` with credential-shaped fields) as documented. The cleartext password lands in:\n\n- the address bar,\n- `window.history`,\n- the `Referer` header of every same-origin subresource fetched from the resulting URL,\n- access logs of any reverse proxy, CDN, or WAF that records request URLs.\n\n### Patch\n\nDefault the rendered `\u003cform\u003e` to `method=\"post\"` so the pre-hydration fallback submits as POST rather than GET. Vue\u0027s `@submit.prevent` still intercepts the hydrated case; the attribute only matters in the race window. Applications that explicitly want native GET submission can opt back in by passing `method=\"get\"`.\n\n### Credit\n\nReported by @nimonian. Originally filed as `GHSA-92g7-2fpq-hmq8` against `nuxt/nuxt`; moved here because the affected code lives in `@nuxt/ui`.",
  "id": "GHSA-gj2h-2fpw-fhv9",
  "modified": "2026-07-02T20:16:12Z",
  "published": "2026-07-02T20:16:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/ui/security/advisories/GHSA-gj2h-2fpw-fhv9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/ui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration"
}

GHSA-HGPQ-GF6R-4VR6

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-16T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser\u0027s history, referrers, web logs, and other sources.",
  "id": "GHSA-hgpq-gf6r-4vr6",
  "modified": "2022-05-13T01:36:45Z",
  "published": "2022-05-13T01:36:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3185"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/Hfuhs/status/839252357221330944"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/hack3rsca/status/839599437907386368"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/355151"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96720/info"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHVH-4RV2-P55M

Vulnerability from github – Published: 2026-02-23 12:31 – Updated: 2026-02-23 12:31
VLAI
Details

An information exposure vulnerability exists in

Vulnerability in HCL Software ZIE for Web.

The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions

This issue affects ZIE for Web: v16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-23T11:16:21Z",
    "severity": "MODERATE"
  },
  "details": "An information exposure vulnerability exists in\n\nVulnerability in HCL Software ZIE for Web.\n\nThe application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions\n\nThis issue affects ZIE for Web: v16.",
  "id": "GHSA-hhvh-4rv2-p55m",
  "modified": "2026-02-23T12:31:30Z",
  "published": "2026-02-23T12:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59873"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0128902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQF8-3W52-4344

Vulnerability from github – Published: 2024-08-02 00:31 – Updated: 2024-08-02 00:31
VLAI
Details

Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-01T22:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.",
  "id": "GHSA-hqf8-3w52-4344",
  "modified": "2024-08-02T00:31:25Z",
  "published": "2024-08-02T00:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32931"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HR3C-G4HC-C8WH

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-09-17 15:30
VLAI
Details

An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T14:15:39Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter",
  "id": "GHSA-hr3c-g4hc-c8wh",
  "modified": "2025-09-17T15:30:36Z",
  "published": "2025-09-17T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50709"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mano257200/Perplexity-AI/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mano257200/perplexity/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HVR3-HX5M-G63G

Vulnerability from github – Published: 2025-04-30 21:31 – Updated: 2025-04-30 21:31
VLAI
Details

: Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-30T19:15:54Z",
    "severity": "MODERATE"
  },
  "details": ": Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.",
  "id": "GHSA-hvr3-hx5m-g63g",
  "modified": "2025-04-30T21:31:48Z",
  "published": "2025-04-30T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9877"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000006\u0026LanguageCode=en\u0026DocumentPartId=PDF\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J46H-HW72-JXQH

Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-06-04 21:31
VLAI
Details

Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-598"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T13:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.",
  "id": "GHSA-j46h-hw72-jxqh",
  "modified": "2025-06-04T21:31:10Z",
  "published": "2025-05-22T15:34:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3943"
    },
    {
      "type": "WEB",
      "url": "https://docs.niagara-community.com/category/tech_bull"
    },
    {
      "type": "WEB",
      "url": "https://honeywell.com/us/en/product-security#security-notices"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

No CAPEC attack patterns related to this CWE.