PlayTube 3.0.1 Information Disclosure

2023.09.05
Credit: CraCkEr
Risk: Low
Local: No
Remote: Yes
CWE: CWE-266

# Exploit Title: PlayTube 3.0.1 - Redirect Information Disclosure # Exploit Author: CraCkEr # Date: 19/08/2023 # Vendor: PlayTube # Vendor Homepage: https://playtubescript.com/ # Software Link: https://demo.playtubescript.com/ # Tested on: Windows 10 Pro # Impact: Sensitive Information Leakage # CVE: CVE-2023-4714 # CWE: CWE-200 - CWE-284 - CWE-266 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as app IDs, is being exposed in the body of these redirects. ## Steps to Reproduce: When you visit most of pages on the website, such as the index page for example: https://website/ in the body page response there's information leakage for "RazorPay Payment" id KEY +--------------------------------------+ razorpay_options = { key: "rzp_test_ruz***********" +--------------------------------------+ Note: The same information leaked, for the app ID KEY, was added to the "Payment Configuration" in the Administration Panel Settings of "Payment Configuration" in the Administration Panel, on this Path: https://website/admin-cp/payment-settings [-] Done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top