CVE-2025-13084 | THREATINT

Description

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.

PUBLISHED Reserved 2025-11-12 | Published 2025-11-26 | Updated 2025-11-26 | Assigner icscert

HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

MEDIUM: 6.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

Product status

Default status

unaffected

R1.0a (custom)

affected

Default status

unaffected

Any version

affected

Default status

unaffected

Any version

affected

Credits

Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA. finder

References

www.opto22.com/support/resources-tools/knowledgebase/kb91325

www.cisa.gov/news-events/ics-advisories/icsa-25-329-04

github.com/...p/csaf_files/OT/white/2025/icsa-25-329-04.json

cve.org (CVE-2025-13084)

nvd.nist.gov (CVE-2025-13084)

Download JSON

help @ threatint.eu