BlueWave Checkmate Sensitive Data Exposure Vulnerability in Settings API
Vulnerability
A vulnerability exists in BlueWave Checkmate versions prior to 2.1, allowing authenticated regular users to access sensitive application secrets through the /api/v1/settings endpoint. This issue arises from improper sanitization of settings data, which can lead to the unintentional disclosure of confidential information.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive application secrets, which could be misused in various ways depending on the nature of the exposed data.
Reproduction
To reproduce this vulnerability, an authenticated regular user can send a request to the /api/v1/settings endpoint. The response will include sensitive application secrets that have not been properly sanitized, such as the PageSpeed API key and the system email password.
Remediation
Users should update to BlueWave Checkmate version 2.1 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.