PT-2025-12281 · Unknown · Transformeroptimus/Superagi

Published

2025-03-20

Updated

2025-03-21

CVE-2024-9418

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions transformeroptimus/superagi version 0.0.14

Description The API endpoint /api/users/get/{id} returns the user's password in plaintext, allowing an attacker to retrieve the password of another user. This could lead to potential account takeover.

Recommendations For version 0.0.14, consider disabling the /api/users/get/{id} endpoint until a patch is available to prevent the exposure of user passwords. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the id variable in the affected API endpoint until the issue is resolved.

Exploit

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-256

Related Identifiers

CVE-2024-9418

Affected Products

Transformeroptimus/Superagi

PT-2025-12281 · Unknown · Transformeroptimus/Superagi

CVE-2024-9418

Weakness Enumeration

Related Identifiers

Affected Products

References · 4