CVE-2023-0901 - Vulnerability Details - OpenCVE

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed prior to 0.11.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Pixelfed	Pixelfed

Configuration 1 [-]

cpe:2.3:a:pixelfed:pixelfed:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0799	Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed prior to 0.11.4.
Github GHSA	GHSA-vjxx-jgcx-9fq2	Pixelfed allows user enumeration via reset password functionality

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57
https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010

History

Wed, 12 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2023-02-18T00:00:00.000Z

Updated: 2025-03-12T19:57:59.255Z

Reserved: 2023-02-18T00:00:00.000Z

Link: CVE-2023-0901

Vulnrichment

Updated: 2024-08-02T05:24:34.746Z

NVD

Status : Modified

Published: 2023-02-18T01:15:10.973

Modified: 2024-11-21T07:38:03.710

Link: CVE-2023-0901

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0901", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2025-03-12T19:57:59.255Z", "dateReserved": "2023-02-18T00:00:00.000Z", "datePublished": "2023-02-18T00:00:00.000Z"}, "containers": {"cna": {"title": "Exposure of Sensitive Information to an Unauthorized Actor in pixelfed/pixelfed", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-02-18T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed prior to 0.11.4."}], "affected": [{"vendor": "pixelfed", "product": "pixelfed/pixelfed", "versions": [{"version": "unspecified", "lessThan": "0.11.4", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010"}, {"url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200"}]}], "source": {"advisory": "0327b1b2-6e7c-4154-a307-15f236571010", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:24:34.746Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010", "tags": ["x_transferred"]}, {"url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T19:57:54.266208Z", "id": "CVE-2023-0901", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T19:57:59.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010", "tags": ["x_transferred"]}, {"url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:24:34.746Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-0901", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T19:57:54.266208Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T19:56:50.901Z"}}], "cna": {"title": "Exposure of Sensitive Information to an Unauthorized Actor in pixelfed/pixelfed", "source": {"advisory": "0327b1b2-6e7c-4154-a307-15f236571010", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pixelfed", "product": "pixelfed/pixelfed", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.11.4", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010"}, {"url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57"}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed prior to 0.11.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-02-18T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0901", "state": "PUBLISHED", "dateUpdated": "2025-03-12T19:57:59.255Z", "dateReserved": "2023-02-18T00:00:00.000Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2023-02-18T00:00:00.000Z", "assignerShortName": "@huntrdev"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pixelfed:pixelfed:*:*:*:*:*:*:*:*", "matchCriteriaId": "71573784-3C90-4131-B37F-1D88D97BFA31", "versionEndExcluding": "0.11.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed prior to 0.11.4."}], "id": "CVE-2023-0901", "lastModified": "2024-11-21T07:38:03.710", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-18T01:15:10.973", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pixelfed/pixelfed/commit/5b5f5bc38ca9ba39d0b7dacc3813fb899f71ba57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/0327b1b2-6e7c-4154-a307-15f236571010"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}