Open Event Server
Monthly
Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.
Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.