Simplechat
Monthly
Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; the vendor-released fix is version 0.241.203.
Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; the vendor-released fix is version 0.241.203.