Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2022-4565 Vulnerability in maven package cn.hutool:hutool-core
CVE-2018-3721 Vulnerability in maven package org.webjars.npm:lodash.merge
CVE-2020-7754 Vulnerability in npm package npm-user-validate
CVE-2021-21307 Vulnerability in maven package org.lucee:lucee
CVE-2021-20085 Vulnerability in npm package backbone-query-parameters