PT-2026-53678 · Hieventsdev · Hi.Events
George Chen
·
Publicado
2026-06-29
·
Atualizado
2026-06-29
·
CVE-2026-57960
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Hi.Events through 1.9.0 public check-in list endpoints use short id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short id can call GET /api/public/check-in-lists/{short id}/attendees to read attendee data and create or delete check-in records without authentication.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Hi.Events