Description
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm
Patch, Vendor Advisory x_refsource_misc
https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd
Scores
CVSS v3
5.9
EPSS
0.0071
EPSS Percentile
72.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
ractf/core
< 41edf92
Published
Oct 05, 2020
Tracked Since
Feb 18, 2026