Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2021-26541 Vulnerability in npm package gitlog
CVE-2021-23784 Vulnerability in npm package tempura
CVE-2020-28282 Vulnerability in maven package org.webjars.npm:getobject
CVE-2021-21290 Vulnerability in maven package io.netty:netty-transport-native-unix-common-tests
CVE-2023-35166 Vulnerability in maven package org.xwiki.platform:xwiki-platform-help-ui