Raditzz0

Name of the Vulnerable Software and Affected Versions: reNgine versions prior to 2.2.0 Description: A vulnerability was discovered in reNgine, where an insider attacker with any role can extract sensitive information from other reNgine users. After running a scan and obtaining vulnerabilities from a target, the attacker can retrieve details such as `username`, `password`, `email`, `role`, `first name`, `last name`, `status`, and `activity information` by making a GET request to "/api/listVulnerability/". Recommendations: For versions prior to 2.2.0, update to version 2.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/listVulnerability/" endpoint until the update is applied. Avoid using sensitive information in the affected API endpoint until the issue is resolved.