In modoboa prior to 2.1.0, sending a GET request to the endpoint /api/v2/parameters/core/
returns sensitive information without any authentication or authorization.
{ "nvd_published_at": "2023-04-21T13:15:07Z", "cwe_ids": [ "CWE-285" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-04-24T20:23:45Z" }