CVE-2025-54766 | THREATINT

Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.

PUBLISHED Reserved 2025-07-28 | Published 2025-07-28 | Updated 2025-11-03 | Assigner KoreLogic

Problem types

CWE-648: Incorrect Use of Privileged APIs

Product status

Default status

affected

1.8 (semver) before 1.9.38

affected

Credits

This vulnerability was discovered by Jim Becher of KoreLogic, Inc. finder

References

seclists.org/fulldisclosure/2025/Jul/15

korelogic.com/Resources/Advisories/KL-001-2025-012.txt third-party-advisory

xormon.com/note190.php release-notes

cve.org (CVE-2025-54766)

nvd.nist.gov (CVE-2025-54766)

Download JSON