CVE-2025-13084
7.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Summary
The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Opto 22 | groov View Server | R1.0a <= R4.5d | affected |
| Opto 22 | GRV-EPIC-PR1 Firmware | 0 <= 4.0.3 | affected |
| Opto 22 | GRV-EPIC-PR2 Firmware | 0 <= 4.0.3 | affected |
Weaknesses
- CWE-1230: CWE-1230
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.opto22.com/support/resources-tools/knowledgebase/kb91325
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.