Publish Date: Apr. 19, 2019
SummaryWe've identified and fixed a vulnerability in the Spiceworks Community that would allow an attacker to download a CSV file containing some user names and associated email addresses.
Who’s Affected?IT forensic analysis conducted by Spiceworks engineers suggests the exposed URL site was not compromised as there is no indication to believe anyone accessed the URL site before the discovery date of the vulnerability. Therefore, we do not believe anyone was affected by this exploit.
DetailsThe Spiceworks Community contained a vulnerable URL that, if discovered, would allow an outside threat agent with the ability to download a CSV file containing PII of a subset of users, including username and email address. This vulnerability was the result of a Ruby on Rails test that lacked proper authentication...