CVE-2026-30689
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
In Blog.Core through bcb4d17, the getinfobytoken API interface contains improper access control that leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security. NOTE: Blog.Admin is related front-end code that does not offer an API service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| anjoy8 | Blog.Core | 0 <= bcb4d17ccc71e206a0c2ff663faf4b399e19f687 | affected |
Weaknesses
- CWE-863: CWE-863 Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://gist.github.com/Sw3092567023/c420c6a5ee947d72aeab2b3e0ba92a40
- https://github.com/anjoy8/Blog.Core/blob/bcb4d17ccc71e206a0c2ff663faf4b399e19f687/Blog.Core.Api/Controllers/UserController.cs#L139-L140
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.