CVE-2024-9447

Medium CVSS 6.5

Overview

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss.

CWE: CWE-1230 Published: 2025-03-20T10:15:49.200

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.5 (MEDIUM)
Detected tags: info_leak, unauth_access (tag impact: HIGH)

Recommended actions:

Reduce verbose errors, remove debug endpoints, minimize PII in logs.
Enforce authentication/authorization; reduce default endpoint exposure.

Overview

Recommended tools

Tags