10 matches found
CVE-2026-33638
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...
CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...
CVE-2026-33638
CVE-2026-33638 (Ech0) : Prior to version 4.2.0, the public endpoint GET /api/allusers exposes user records without authentication, enabling remote unauthenticated user enumeration and exposure of user profile metadata. The issue is in the internal/router handling of /api/allusers. A fix is availa...
CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/allusers endpoint. An attacker can access sensitive user information by sending requests to this publicly accessible API endpoint. Remediation Upgrade github.com/lin-snow/ech0/internal/router to versio...
GO-2026-4838 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0
Ech0 authenticated user-list exposed data via public /api/allusers endpoint in github.com/lin-snow/ech0...
Ech0 安全漏洞
Ech0 is a self-hosted personal microblogging platform developed by L1nSn0w. Versions of Ech0 prior to 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/allusers endpoint, which returned user records without verification, potentially allowing unauthorized...
Malicious code in sap-allusers (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d5eacfc5bc68ef30f29755795ed8ff32a858d41764d8e98b1e3e4525fe339f04 The OpenSSF Package Analysis project identified 'sap-allusers' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...
MAL-2024-7541 Malicious code in sap-allusers (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d5eacfc5bc68ef30f29755795ed8ff32a858d41764d8e98b1e3e4525fe339f04 The OpenSSF Package Analysis project identified 'sap-allusers' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...
Udemy: S3 bucket unnecessarily discloses permissions
The 'udemy-images' bucket allows the 'AllUsers' group to list ACLs that are applied to the bucket. By navigating to: https://udemy-images.udemy.com or by using the aws-cli tool an attacker can see which users have READ, WRITE, READACP, and WRITEACP rights. Doing this now we can see one user who h...