CVE-2025-54768 | THREATINT

Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information.

PUBLISHED Reserved 2025-07-28 | Published 2025-07-28 | Updated 2025-11-03 | Assigner KoreLogic

Problem types

CWE-648: Incorrect Use of Privileged APIs

Product status

Default status

affected

8.04

affected

Credits

This vulnerability was discovered by Jim Becher of KoreLogic, Inc. finder

References

seclists.org/fulldisclosure/2025/Jul/18

korelogic.com/Resources/Advisories/KL-001-2025-015.txt third-party-advisory

lpar2rrd.com/note800.php release-notes

cve.org (CVE-2025-54768)

nvd.nist.gov (CVE-2025-54768)

Download JSON