Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-598 (通过GET请求中的查询字符串导致的信息暴露) — Vulnerability Class 55

55 vulnerabilities classified as CWE-598 (通过GET请求中的查询字符串导致的信息暴露). AI Chinese analysis included.

CWE-598 represents a critical information exposure weakness where web applications inadvertently transmit sensitive data via HTTP query strings. This vulnerability typically arises when developers use GET requests to handle authentication credentials, session tokens, or personally identifiable information, which are then visibly appended to the URL. Attackers exploit this by intercepting network traffic, accessing browser history, or analyzing server logs to harvest these exposed secrets. Since query strings are frequently cached by proxies, stored in browser history, and logged by web servers, the data remains persistently accessible to unauthorized parties. To mitigate this risk, developers should strictly utilize POST requests for transmitting sensitive payloads, ensuring data is enclosed within the HTTP body rather than the URL. Additionally, implementing HTTPS encryption and adhering to secure coding standards further protects data integrity and prevents accidental leakage through standard web infrastructure mechanisms.

MITRE CWE Description
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
Common Consequences (1)
ConfidentialityRead Application Data
At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulner…
Mitigations (1)
ImplementationWhen sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
CVE IDTitleCVSSSeverityPublished
CVE-2025-22387 Optimizely Configured Commerce 安全漏洞 — n/a 8.2 -2025-01-04
CVE-2024-41738 IBM TXSeries for Multiplatforms information disclosure — TXSeries for Multiplatforms 5.9 Medium2024-11-01
CVE-2024-38863 CSRF token leaked in URL parameters — Checkmk 6.5AIMediumAI2024-10-14
CVE-2024-32931 exacqVison - Token Disclosed in URL — exacqVision 5.7 Medium2024-08-01
CVE-2023-50954 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.3 Medium2024-06-30
CVE-2024-2745 Rapid7 InsightVM Sensitive Information Exposure via URL — InsightVM 3.3 Low2024-04-02
CVE-2023-32335 IBM Maximo Application Suite information disclosure — Maximo Application Suite 3.7 Low2024-03-13
CVE-2023-50328 IBM PowerSC information disclosure — PowerSC 3.7 Low2024-02-02
CVE-2023-6287 Backup password in GET parameter — Checkmk Appliance 3.3 Low2023-11-27
CVE-2023-6014 MLflow Authentication Bypass — mlflow/mlflow 7.5 -2023-11-16
CVE-2023-37935 Fortinet FortiOS 安全漏洞 — FortiOS 6.5 Medium2023-10-10
CVE-2023-25524 NVIDIA Omniverse Workstation Launcher 安全漏洞 — Omniverse Workstation Launcher 4.0 Medium2023-08-03
CVE-2022-34452 Dell PowerPath Management Appliance 安全漏洞 — PowerPath Management Appliance 2.7 Low2023-02-10
CVE-2022-24414 Dell EMC CloudLink 信息泄露漏洞 — CloudLink 7.6 High2022-05-26
CVE-2022-25787 GTA URLs issued by LMM WEB API may leak information — GateManager 7.5 High2022-05-04
CVE-2022-22551 DELL EMC AppSync 授权问题漏洞 — AppSync 8.3 High2022-01-21
CVE-2021-36328 Dell Emc Streaming Data Platform SQL注入漏洞 — Dell EMC Streaming Data Platform 8.8 -2021-11-30
CVE-2021-21594 Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 8.2 High2021-08-16
CVE-2020-5331 Dell EMC RSA Archer 信息泄露漏洞 — RSA Archer 8.8 High2020-05-04
CVE-2019-18573 Dell RSA Identity Governance and Lifecycle和RSA Via Lifecycle and Governance 授权问题漏洞 — RSA Identity Governance & Lifecycle 8.0 -2019-12-18
CVE-2019-6531 Kunbus PR100088 Modbus 安全漏洞 — PR100088 Modbus gateway 5.9 -2019-04-02
CVE-2018-14822 Entes EMG12 信息泄露漏洞 — EMG12 9.8 -2018-10-02
CVE-2018-5467 多款Belden产品安全漏洞 — Hirschmann Automation and Control GmbH Classic Platform Switches 8.2 -2018-03-06
CVE-2017-3185 多款ACTi产品安全漏洞 — ACTi D, B, I, and E series cameras 9.1 -2017-12-15
CVE-2017-8443 Elasticsearch Kibana X-Pack security 信息泄露漏洞 — Kibana X-Pack Security 7.4 -2017-06-30

Vulnerabilities classified as CWE-598 (通过GET请求中的查询字符串导致的信息暴露) represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.