Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Improper Authentication

github.com/spectolabs/hoverfly is vulnerable to Improper Authentication. The vulnerability is due to the admin WebSocket endpoint /api/v2/ws/logs not being protected by the same authentication middleware as the REST admin API, which allows an unauthenticated remote attacker to access and stream...

EUVD-2025-27610

Malicious code in bioql PyPI...

SUSE CVE-2025-54376

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly's admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time applicatio...

CVE-2025-54376

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time applicatio...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the WebSocket endpoint /api/v2/ws/logs, which is not protected by the authentication middleware even when authentication is enabled. An attacker can access real-time application logs, including internal file...

CVE-2025-54376 Hoverfly's WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled.

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time applicatio...

PT-2025-37098

Name of the Vulnerable Software and Affected Versions: Hoverfly versions 1.11.3 and prior Description: Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs lacks the authentication middleware present in the REST admin API. This allows an unauthenticated remote attacker to stream real-time...

Lan ATMService M3 ATM Monitoring System Directory Traversal Vulnerability

Lan ATMService M3 ATM Monitoring System is a software for monitoring ATM machines from the Russian company Lan ATMService. A directory traversal vulnerability exists in Lan ATMService M3 ATM Monitoring System 6.1.0. An attacker can use this vulnerability to view log files in /websocket/logs/ that...

CVE-2020-29666

In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value...

Directory traversal

In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value...

Lan ATMService M3 ATM 安全漏洞

Lan ATMService M3 ATM Monitoring System is a software for monitoring ATM machines from the Russian company Lan ATMService. A directory traversal vulnerability exists in Lan ATMService M3 ATM Monitoring System 6.1.0. An attacker can use this vulnerability to view log files in /websocket/logs/ that...