Vulnerabilites related to Krypto-Hashers-Community - KHC-INVITATION-AUTOMATION
CVE-2025-46552 (GCVE-0-2025-46552)
Vulnerability from cvelistv5
Published
2025-04-29 22:13
Modified
2025-04-30 17:40
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284 - Improper Access Control
Summary
KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2.
References
https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/security/advisories/GHSA-7mpf-6gg2-2fjpx_refsource_CONFIRM
https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/commit/bc908a4ef538b24d4543ae95a413be6afa308bf5x_refsource_MISC
Impacted products
Vendor Product Version
Krypto-Hashers-Community KHC-INVITATION-AUTOMATION Version: < 1.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46552",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T17:39:26.073559Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T17:40:07.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "KHC-INVITATION-AUTOMATION",
          "vendor": "Krypto-Hashers-Community",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-29T22:13:37.746Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/security/advisories/GHSA-7mpf-6gg2-2fjp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/security/advisories/GHSA-7mpf-6gg2-2fjp"
        },
        {
          "name": "https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/commit/bc908a4ef538b24d4543ae95a413be6afa308bf5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Krypto-Hashers-Community/KHC-INVITATION-AUTOMATION/commit/bc908a4ef538b24d4543ae95a413be6afa308bf5"
        }
      ],
      "source": {
        "advisory": "GHSA-7mpf-6gg2-2fjp",
        "discovery": "UNKNOWN"
      },
      "title": "KHC-INVITATION-AUTOMATION Sensitive User Information Leakage in Invitation Automation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46552",
    "datePublished": "2025-04-29T22:13:37.746Z",
    "dateReserved": "2025-04-24T21:10:48.173Z",
    "dateUpdated": "2025-04-30T17:40:07.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}