atjiu pybbs Information Disclosure Vulnerability in UserApiController
Vulnerability
An information disclosure vulnerability has been identified in atjiu pybbs versions through 6.0.0. The issue resides in the UserApiController.java file, specifically within the GET /api/user/{username} endpoint. This vulnerability allows authenticated users to access sensitive information, including login tokens and email addresses, of other users. The exposed tokens can be used to impersonate the users, leading to unauthorized account access.
Impact
Exploitation of this vulnerability allows for account takeover by impersonating the user whose token was obtained. Additionally, it breaches privacy by exposing personal information such as email addresses and other metadata.
Reproduction
To reproduce this vulnerability, an authenticated user must send a GET request to the /api/user/{username} endpoint, replacing {username} with the target username. The request must include the user's authentication token in the headers. The response will contain the user's token and email, which can be used to impersonate them.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.