CVE-2025-48024
Authenticated user can access sensitive data via /api/v1/settings endpoint
Overview
CVE-2025-48024 is a vulnerability in BlueWave Checkmate before 2.1 that allows authenticated regular users to access sensitive application secrets via a specific endpoint, potentially leaking confidential information.
Technical Details
The /api/v1/settings endpoint in the BlueWave Checkmate application, versions before 2.1, is improperly secured. This allows authenticated users to access sensitive data they should typically not have access to.
CVSS Metrics
- version: 3.1
- attackVector: NETWORK
- attackComplexity: LOW
- privilegesRequired: LOW
- userInteraction: NONE
- scope: CHANGED
- confidentialityImpact: LOW
- integrityImpact: NONE
- availabilityImpact: NONE
Impact
Exposure of this vulnerability may lead to a leak of sensitive information that can be exploited by malicious users.
Recommendations
Updating the BlueWave Checkmate application to version 2.1 or later will mitigate this vulnerability. It is also essential to review user roles and access levels to ensure that only authorized and necessary personnel have access to secure data.
Threat Metrics
- cvss_score: 5.0
- severity: MEDIUM
- attack_vector: NETWORK
- attack_complexity: LOW