ThriveX Blogging Framework Unauthenticated Information Disclosure Vulnerability

A vulnerability in the ThriveX Blogging Framework versions 2.5.9 through 3.1.3 allows unauthenticated attackers to access sensitive information, such as API keys, through the '/api/assistant/list' endpoint. The issue arises from insufficient access controls in the 'AssistantController.java' file, which permit unauthorized users to query sensitive data from the application.

Impact

Exploitation of this vulnerability leads to unauthorized access to API keys, which can be used to invoke third-party services, potentially causing resource consumption or additional costs.

Reproduction

To reproduce this vulnerability, send a request to the '/api/assistant/list' endpoint without authentication. The response will include sensitive information such as API keys. This can be done using a tool like Postman or curl.

Remediation

Users are advised to upgrade to ThriveX Blogging Framework version 3.1.4 or later, which addresses this vulnerability. For those unable to upgrade immediately, it is recommended to implement authentication and authorization checks on the '/api/assistant/list' endpoint and monitor for suspicious API activity.