James Valleroy

**Name of the Vulnerable Software and Affected Versions** FreedomBox versions prior to 20.14 Plinth versions prior to 20.14 **Description** The issue allows remote attackers to obtain sensitive information from the "/server-status" page of the Apache HTTP Server. This is because a connection from the Tor onion service, or from PageKite, is considered a local connection. The Apache mod status module must be enabled for this issue to occur. **Recommendations** For FreedomBox versions prior to 20.14, update to version 20.14 or later to resolve the issue. For Plinth versions prior to 20.14, update to version 20.14 or later to resolve the issue. As a temporary workaround, consider disabling the Apache mod status module until a patch is available. Restrict access to the "/server-status" page to minimize the risk of exploitation.