CVE-2025-42603
Information Disclosure Vulnerability in Meon KYC solutions
In short
Meon KYC API endpoints send sensitive user data without encryption in responses, allowing attackers who intercept network traffic to read and steal this information. An attacker could use this data to impersonate other users and take over their accounts.
Technical detail
CWE-319 (Cleartext Transmission of Sensitive Information): Authenticated attackers can intercept unencrypted API responses containing sensitive user data from Meon KYC endpoints. The vulnerability enables account takeover through data interception and user impersonation, requiring network access to the communication channel.
Summary generated and translated by AI from the official description.
This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive information belonging to other users.
Successful exploitation of this vulnerability could allow remote attacker to impersonate the target user and gain unauthorized access to the user account.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Affected products
Meon · KYC solutionsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →