Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2022-41940 Vulnerability in maven package org.webjars.bower:engine.io
CVE-2022-21186 Vulnerability in npm package @acrontum/filesystem-template
CVE-2019-10757 Vulnerability in maven package org.webjars.npm:knex
CVE-2021-3918 Vulnerability in npm package json-schema
CVE-2020-7686 Vulnerability in npm package rollup-plugin-dev-server