CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
56.4%
weblogin/login.fcgi (aka the WebLogin login script) in Stanford University
WebAuth 3.5.5, 3.6.0, and 3.6.1 places passwords in URLs in certain
circumstances involving conversion of a POST request to a GET request,
which allows context-dependent attackers to discover passwords by reading
(1) web-server access logs, (2) web-server Referer logs, or (3) the browser
history.