CWE-598
AllowedUse of HTTP Request With Sensitive Query String
Abstraction: Variant · Status: Draft
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
139 vulnerabilities reference this CWE, most recent first.
GHSA-2CCR-G2RV-H677
Vulnerability from github – Published: 2024-03-12 20:47 – Updated: 2024-03-13 22:25Impact
When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
There's no workaround available.
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28238"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-12T20:47:18Z",
"nvd_published_at": "2024-03-12T21:15:59Z",
"severity": "LOW"
},
"details": "### Impact\n\nWhen reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.\n\n### Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nThere\u0027s no workaround available.\n\n### References\n\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-2ccr-g2rv-h677",
"modified": "2024-03-13T22:25:10Z",
"published": "2024-03-12T20:47:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-2ccr-g2rv-h677"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28238"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Session Token in URL in directus"
}
GHSA-2G3Q-9HVF-4QGX
Vulnerability from github – Published: 2025-08-25 09:32 – Updated: 2025-08-25 09:32An Information Exposure vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited.
{
"affected": [],
"aliases": [
"CVE-2025-8997"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T07:15:35Z",
"severity": "MODERATE"
},
"details": "An Information Exposure vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited.",
"id": "GHSA-2g3q-9hvf-4qgx",
"modified": "2025-08-25T09:32:02Z",
"published": "2025-08-25T09:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8997"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000042482"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2QHM-4W63-5PPH
Vulnerability from github – Published: 2025-07-08 12:31 – Updated: 2025-07-08 12:31A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) V9.6 (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected devices include session identifiers in URL requests for certain functionalities. This could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-40742"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T11:15:30Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) V9.6 (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected devices include session identifiers in URL requests for certain functionalities. This could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access.",
"id": "GHSA-2qhm-4w63-5pph",
"modified": "2025-07-08T12:31:02Z",
"published": "2025-07-08T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40742"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-904646.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-339W-6R43-VJH2
Vulnerability from github – Published: 2025-06-12 15:31 – Updated: 2025-06-12 15:31The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
{
"affected": [],
"aliases": [
"CVE-2025-49188"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T14:15:31Z",
"severity": "MODERATE"
},
"details": "The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.",
"id": "GHSA-339w-6r43-vjh2",
"modified": "2025-06-12T15:31:23Z",
"published": "2025-06-12T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49188"
},
{
"type": "WEB",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37FX-2M8V-2X4J
Vulnerability from github – Published: 2023-08-03 18:30 – Updated: 2024-04-04 06:31NVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user’s access token is displayed in the browser user's address bar. An attacker could use this token to impersonate the user to access launcher resources. A successful exploit of this vulnerability may lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-25524"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T17:15:11Z",
"severity": "MODERATE"
},
"details": "\nNVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user\u2019s access token is displayed in the browser user\u0027s address bar. An attacker could use this token to impersonate the user to access launcher resources. A successful exploit of this vulnerability may lead to information disclosure.\n\n",
"id": "GHSA-37fx-2m8v-2x4j",
"modified": "2024-04-04T06:31:59Z",
"published": "2023-08-03T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25524"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37PM-83G7-R22V
Vulnerability from github – Published: 2026-06-19 14:16 – Updated: 2026-06-19 14:16Summary
In affected versions, the OAuth2 token request sends app_id, app_secret,
refresh_token and code as URL query parameters of the POST request to
https://oauth.<domain>/oauth/api/oauth2/token. Request URLs are commonly
recorded in access logs, proxy logs and APM traces, so the application secret
and refresh token can be persisted in plain text outside the application's
control.
In addition, when the token request fails, the Guzzle exception message —
which contains the full request URI including the credentials — was passed
unmodified into the AuthorizationFailedException thrown by
OAuth2::obtainAccessToken(). Applications that log exceptions or forward
them to error trackers (e.g. Sentry) may therefore have recorded the app
secret in their logs.
## Impact
An attacker with access to web server logs, proxy logs, APM tracing data or
application error logs of a consumer of this library can obtain the Canto
app_secret, refresh_token or authorization code and use them to obtain
access tokens for the Canto tenant.
## Patches
Fixed in 3.0.0:
- OAuth credentials are sent in the form-encoded POST body instead of the URL
query string (RFC 6749 §2.3.1).
OAuth2Request::getQueryParams()now returnsnull; the parameters are available viagetFormParams(). - Exception messages are sanitized before being rethrown: the values of
app_secret,refresh_tokenandcodeare masked (including url-encoded, differently cased and JSON-embedded variants).
## Workarounds
If you cannot upgrade:
- Treat web server, proxy and APM logs of systems performing Canto OAuth requests as secret material and restrict access to them.
- Catch
AuthorizationFailedExceptionin your application and strip the query string from the message before logging or forwarding it.
If your logs may have been exposed, rotate the affected Canto app secret.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0"
},
"package": {
"ecosystem": "Packagist",
"name": "jleehr/canto-saas-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55375"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-598"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:16:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n In affected versions, the OAuth2 token request sends `app_id`, `app_secret`,\n `refresh_token` and `code` as URL query parameters of the POST request to\n `https://oauth.\u003cdomain\u003e/oauth/api/oauth2/token`. Request URLs are commonly\n recorded in access logs, proxy logs and APM traces, so the application secret\n and refresh token can be persisted in plain text outside the application\u0027s\n control.\n\n In addition, when the token request fails, the Guzzle exception message \u2014\n which contains the full request URI including the credentials \u2014 was passed\n unmodified into the `AuthorizationFailedException` thrown by\n `OAuth2::obtainAccessToken()`. Applications that log exceptions or forward\n them to error trackers (e.g. Sentry) may therefore have recorded the app\n secret in their logs.\n\n ## Impact\n\n An attacker with access to web server logs, proxy logs, APM tracing data or\n application error logs of a consumer of this library can obtain the Canto\n `app_secret`, `refresh_token` or authorization `code` and use them to obtain\n access tokens for the Canto tenant.\n\n ## Patches\n\n Fixed in 3.0.0:\n\n - OAuth credentials are sent in the form-encoded POST body instead of the URL\n query string (RFC 6749 \u00a72.3.1). `OAuth2Request::getQueryParams()` now\n returns `null`; the parameters are available via `getFormParams()`.\n - Exception messages are sanitized before being rethrown: the values of\n `app_secret`, `refresh_token` and `code` are masked (including url-encoded,\n differently cased and JSON-embedded variants).\n\n ## Workarounds\n\n If you cannot upgrade:\n\n - Treat web server, proxy and APM logs of systems performing Canto OAuth\n requests as secret material and restrict access to them.\n - Catch `AuthorizationFailedException` in your application and strip the query\n string from the message before logging or forwarding it.\n\n If your logs may have been exposed, rotate the affected Canto app secret.",
"id": "GHSA-37pm-83g7-r22v",
"modified": "2026-06-19T14:16:41Z",
"published": "2026-06-19T14:16:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jleehr/canto-saas-api/security/advisories/GHSA-37pm-83g7-r22v"
},
{
"type": "PACKAGE",
"url": "https://github.com/jleehr/canto-saas-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "canto-saas-api: OAuth credentials exposed in URL query string and exception messages"
}
GHSA-3GMG-V9XP-M3JG
Vulnerability from github – Published: 2023-10-10 18:31 – Updated: 2024-04-04 08:30A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services.
{
"affected": [],
"aliases": [
"CVE-2023-37935"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T17:15:12Z",
"severity": "HIGH"
},
"details": "A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services.",
"id": "GHSA-3gmg-v9xp-m3jg",
"modified": "2024-04-04T08:30:14Z",
"published": "2023-10-10T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37935"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-42H9-MR3G-6GC2
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-23 21:31An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.
{
"affected": [],
"aliases": [
"CVE-2026-26721"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T17:25:55Z",
"severity": "HIGH"
},
"details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.",
"id": "GHSA-42h9-mr3g-6gc2",
"modified": "2026-02-23T21:31:23Z",
"published": "2026-02-20T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26721"
},
{
"type": "WEB",
"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CQV-CV9M-26Q8
Vulnerability from github – Published: 2024-06-26 21:32 – Updated: 2024-07-03 18:47An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET request to a specific URL triggers the reboot of the Anybus gateway (or at least most of its modules). An attacker can use this feature to carry out a denial of service attack by continuously sending GET requests to that URL.
{
"affected": [],
"aliases": [
"CVE-2024-23766"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-26T21:15:12Z",
"severity": "HIGH"
},
"details": "An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET request to a specific URL triggers the reboot of the Anybus gateway (or at least most of its modules). An attacker can use this feature to carry out a denial of service attack by continuously sending GET requests to that URL.",
"id": "GHSA-4cqv-cv9m-26q8",
"modified": "2024-07-03T18:47:04Z",
"published": "2024-06-26T21:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23766"
},
{
"type": "WEB",
"url": "https://sensepost.com/blog/2024/targeting-an-industrial-protocol-gateway"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HF4-8437-8WG9
Vulnerability from github – Published: 2026-03-10 21:32 – Updated: 2026-03-10 21:32IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
{
"affected": [],
"aliases": [
"CVE-2025-13219"
],
"database_specific": {
"cwe_ids": [
"CWE-598"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T20:16:19Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.",
"id": "GHSA-4hf4-8437-8wg9",
"modified": "2026-03-10T21:32:17Z",
"published": "2026-03-10T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13219"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7263083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
No CAPEC attack patterns related to this CWE.