paxswill EVE Ship Replacement Program User Information api.py information disclosure
Description
The EVE Ship Replacement Program (SRP) webapp before v0.12.12 discloses user information due to improper access control in the User Information Handler.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The EVE Ship Replacement Program (SRP) webapp before v0.12.12 discloses user information due to improper access control in the User Information Handler.
Root
Cause
The vulnerability exists in the EVE Ship Replacement Program (SRP) web application, version 0.12.11 and earlier. The issue is located in the User Information Handler within the file src/evesrp/views/api.py. Improper handling of user information requests leads to information disclosure [1]. The exact nature of the flaw is not detailed, but it allows an attacker to access data without proper authorization.
Exploitation
The attack vector is remote; no authentication or special privileges are mentioned as prerequisites [1]. This suggests the vulnerable endpoint may be accessible to unauthenticated users, enabling remote exploitation.
Impact
Successful exploitation results in the disclosure of user information [1]. Given the context of an EVE Online ship replacement program, this could include player details, reimbursement data, or other sensitive information stored by the application.
Mitigation
The issue was addressed in version 0.12.12, released with a commit identified by hash 9e03f68e46e85ca9c9694a6971859b3ee66f0240 [1]. Users must upgrade to v0.12.12 or later. The project maintainer noted that a security vulnerability fixed in this version was reported by Galaxy Android [2]. The PyPA advisory database also tracks this CVE under identifier PYSEC-2023-208 [4]. No workarounds have been disclosed.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
EVE-SRPPyPI | < 0.12.12 | 0.12.12 |
Affected products
2- Range: 0.12.11
Patches
19e03f68e46e8Security Vuln: Check API access to entity details
1 file changed · +8 −0
src/evesrp/views/api.py+8 −0 modified@@ -57,7 +57,11 @@ def list_entities(): @api.route('/user/<int:user_id>/') +@login_required def user_detail(user_id): + if not current_user.admin and not \ + current_user.has_permission(PermissionType.admin): + abort(403) user = User.query.get_or_404(user_id) # Set up divisions submit = map(lambda p: p.division, @@ -84,7 +88,11 @@ def user_detail(user_id): @api.route('/group/<int:group_id>/') +@login_required def group_detail(group_id): + if not current_user.admin and not \ + current_user.has_permission(PermissionType.admin): + abort(403) group = Group.query.get_or_404(group_id) submit = map(lambda p: p.division, filter(lambda p: p.permission == PermissionType.submit,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/paxswill/evesrp/commit/9e03f68e46e85ca9c9694a6971859b3ee66f0240ghsapatchWEB
- github.com/paxswill/evesrp/releases/tag/v0.12.12ghsapatchWEB
- github.com/advisories/GHSA-fxqx-xgqq-gf42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36660ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/eve-srp/PYSEC-2023-208.yamlghsaWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.