CVE-2021-44692

medium

Description

BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. [email protected] would become /members/johndoeexample-com and [email protected] would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses.

References

https://www.cygenta.co.uk/post/buddyboss

https://www.buddyboss.com/resources/buddyboss-platform-releases/

Details

Source: Mitre, NVD

Published: 2022-01-26

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00779