Information Disclosure

thelounge is vulnerable to Information Disclosure. The vulnerability is due to inadequate handling of unique identifiers when different connections share the same local port but have various addresses, potentially leading to the public disclosure of user information...

hidden-plugin-topicregex (>=0.0.3 <=0.0.4), thelounge-plugin-am (>=0.1.0 <=0.4.0) +14 more potentially affected by unknown CVE via thelounge (>=3.0.1 <=4.4.3)

thelounge NPM version =3.0.1, =0.0.3, =0.1.0, =1.0.0, =1.0.0, =1.0.1, =1.0.0, =1.1.0, =1.0.0, =1.0.0, =1.0.2, =1.0.2-5, =1.4.3, =1.5.9 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G49Q-JW42-6X85...

thelounge may publicly disclose of all usernames/idents via port 113

Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes both non-unique and public: - If multiple connections happen to use the same local port number which is possible if the addresses differ, the usernam...