Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Vulnerability Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Vikunja 信息泄露漏洞
Vulnerability Description
Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 2.2.1之前版本存在信息泄露漏洞,该漏洞源于GET /api/v1/projects/:project/webhooks端点以明文返回BasicAuth凭据,可能导致凭据泄露。
CVSS Information
N/A
Vulnerability Type
N/A