Steam Trader
Monthly
ArthurFiorette steam-trader 2.1.1 exposes complete Steam account credentials through an unauthenticated API endpoint, enabling account takeover. Attackers can retrieve usernames, passwords, identity secrets, shared secrets, and session tokens via the /users endpoint without authentication (CVSS:3.1 AV:N/AC:L/PR:N). This critical vulnerability (CVSS 10.0) allows generation of valid Steam Guard 2FA codes and complete account hijacking. EPSS data unavailable, no CISA KEV listing, and critically: no patch exists as the repository is archived and unmaintained. Authentication bypass and information disclosure tags confirm trivial exploitation requiring only network access.
ArthurFiorette steam-trader 2.1.1 exposes complete Steam account credentials through an unauthenticated API endpoint, enabling account takeover. Attackers can retrieve usernames, passwords, identity secrets, shared secrets, and session tokens via the /users endpoint without authentication (CVSS:3.1 AV:N/AC:L/PR:N). This critical vulnerability (CVSS 10.0) allows generation of valid Steam Guard 2FA codes and complete account hijacking. EPSS data unavailable, no CISA KEV listing, and critically: no patch exists as the repository is archived and unmaintained. Authentication bypass and information disclosure tags confirm trivial exploitation requiring only network access.