Alf.Io · Alf.Io · CVE-2024-25635
**Name of the Vulnerable Software and Affected Versions**
alf.io versions prior to 2.0-Mr-2402
**Description**
The issue allows organization owners to view the generated API KEY and USERS of other organization owners. This is achieved through the "http://192.168.26.128:8080/admin/api/users/<user id>" endpoint, which exposes the details of the provided `user id`. The API KEY may also be exposed in the username of the user.
**Recommendations**
For versions prior to 2.0-Mr-2402, update to version 2.0-M4-2402 to resolve the issue.
As a temporary workaround, consider restricting access to the "http://192.168.26.128:8080/admin/api/users/<user id>" endpoint until the update is applied.