Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNqNzgtN201OS1yN2d2

High EPSS: 0.01132% (0.77176 Percentile) EPSS:
Permalink JSON

Private data exposure via REST API in BuddyPress

Affected Packages Affected Versions Fixed Versions
packagist:buddypress/buddypress < 5.1.2 5.1.2
2 Dependent packages
7 Dependent repositories
1,945 Downloads total

Affected Version Ranges

All affected versions

2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 5.0.0, 5.1.0, 5.1.1

All unaffected versions

5.1.2, 5.2.0, 5.2.1, 5.2.2, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.4.2, 6.4.3, 7.0.0, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 9.0.0, 9.1.1, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 11.0.0, 11.1.0, 11.2.0, 11.3.1, 11.3.2, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 12.0.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.5.0, 12.5.1, 12.5.2, 12.5.3, 14.0.0, 14.1.0, 14.2.1, 14.3.1, 14.3.3, 14.3.4

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed.

This has been patched in version 5.1.2.

References:

Identifiers

GHSA-3j78-7m59-r7gv

CVE-2020-5244

Risk

Severity

High

EPSS

EPSS Percentage: 0.01132

EPSS Percentile: 0.77176

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/buddypress/BuddyPress

Date and time

Published

over 5 years ago

Updated

over 2 years ago

API

JSON