Gophish is vulnerable to Incorrect Access Control

基本資訊

• GHSA ID: GHSA-9f8m-9547-2gqm
• CVE ID: CVE-2025-70963
• 嚴重性: MEDIUM
• 發布時間: 2026-02-06T18:30:32Z
• 來源: GitHub Advisory

漏洞描述

Gophish <= 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context.

影響範圍

• go:github.com/gophish/gophish (<= 0.12.1)

CVSS 評分

• CVSS v4: 6.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U)

CWE 分類

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-284: Improper Access Control

EPSS 評分

• EPSS: N/A

萃取備註

• 資料來源: GitHub Security Advisories Database
• 信心水準: 高(官方漏洞資料庫)
• 處理時間: 2026-02-08T07:47:59.619744