CVE-2022-32984

Name of the Vulnerable Software and Affected Versions BTCPay Server versions 1.3.0 through 1.5.3

Description The issue allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. This sensitive information, found in the HTML source code, includes the xpub of the store. Additionally, if the store is not using the internal lightning node, the credentials of a lightning node are exposed.

Recommendations For BTCPay Server versions 1.3.0 through 1.5.3, consider restricting access to the public Point of Sale app to minimize the risk of sensitive information exposure. As a temporary workaround, review the HTML source code to ensure no sensitive data is inadvertently exposed. Restrict access to the xpub of the store and lightning node credentials until a patch is available.