CVE-2024-9418

Summary

In version 0.0.14 of transformeroptimus/superagi, the API endpoint /api/users/get/{id} returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.

Affected Software

VendorProductVersion RangeStatus
transformeroptimustransformeroptimus/superagiunspecified <= latestaffected

Weaknesses

  • CWE-256: CWE-256 Unprotected Storage of Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References