CVE-2020-25073

MEDIUM

Debian Freedombox < 20.13 - Exposure to Wrong Actor

Title source: rule

Description

FreedomBox through 20.13 allows remote attackers to obtain sensitive information from the /server-status page of the Apache HTTP Server, because a connection from the Tor onion service (or from PageKite) is considered a local connection. This affects both the freedombox and plinth packages of some Linux distributions, but only if the Apache mod_status module is enabled.

References (1)

[Exploit, Third Party Advisory] https://salsa.debian.org/freedombox-team/freedombox/-/issues/1935

Scores

CVSS v3 5.3

EPSS 0.0097

EPSS Percentile 76.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

debian/freedombox < 20.13

Timeline

Published Sep 02, 2020

Tracked Since Feb 18, 2026