Description

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.

Remediation

References

http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html

http://www.exploit-db.com/exploits/24744/

Related Vulnerabilities

CVE-2018-1000136 Vulnerability in npm package electron

CVE-2023-50578 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2023-46998 Vulnerability in maven package org.webjars.bower:bootbox

CVE-2018-3713 Vulnerability in npm package angular-http-server

CVE-2020-8131 Vulnerability in npm package yarn

Severity

Critical

Classification

CWE-200

Tags

Exploit