CVE-2025-54768

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://korelogic.com/Resources/Advisories/KL-001-2025-015.txt	Exploit Third Party Advisory
https://lpar2rrd.com/note800.php	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:xorux:lpar2rrd:*:*:*:*:*:*:*:*

History

09 Oct 2025, 17:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:xorux:lpar2rrd::::::::
First Time		Xorux lpar2rrd Xorux
References	~~() https://korelogic.com/Resources/Advisories/KL-001-2025-015.txt -~~	() https://korelogic.com/Resources/Advisories/KL-001-2025-015.txt - Exploit, Third Party Advisory
References	~~() https://lpar2rrd.com/note800.php -~~	() https://lpar2rrd.com/note800.php - Release Notes

29 Jul 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
Summary		(es) Un endpoint de API, que debería estar limitado a los administradores de aplicaciones web, está oculto, pero es accesible para usuarios de aplicaciones web de solo lectura de nivel inferior. Este endpoint puede usarse para descargar registros de la configuración del dispositivo, lo que expone información confidencial.

29 Jul 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-29 00:15

Updated : 2025-10-09 17:43

NVD link : CVE-2025-54768

Mitre link : CVE-2025-54768

CVE.ORG link : CVE-2025-54768

JSON object : View

Products Affected

xorux

lpar2rrd

CWE

CWE-648

Incorrect Use of Privileged APIs

5.3 /10