Sensitive Information Disclosure via /auth/info in eladmin ≤ 2.7(CWE-200)

## Sensitive Information Disclosure via /auth/info in eladmin ≤ 2.7(CWE-200)

### Summary

In eladmin versions up to 2.7, the `/auth/info` endpoint returns user information without filtering entity fields. As a result, sensitive data including the user’s password hash is mistakenly returned, creating a risk of offline password brute-force attacks.

### Vulnerability Description

When logged-in users request `/auth/info`, the server returns all entity fields without filtering, including the user password hash.

### Vulnerability details

Sending the following request shows that the response includes the user’s password hash.  

<img width="2559" height="1439" alt="Image" src="https://github.com/user-attachments/assets/9026140e-4ed3-423d-8e44-2c42ac4eefd5" />

This field is not used on the frontend.  

<img width="2559" height="1438" alt="Image" src="https://github.com/user-attachments/assets/5a34b960-9a2b-43aa-b083-de26316e2955" />

This leads to a risk of offline password cracking.  

<img width="1875" height="518" alt="Image" src="https://github.com/user-attachments/assets/5664f49f-807a-47a3-b094-d77902414d10" />

### Impact

- Exposure of password hashes to authenticated users
    
- Risk of offline password brute-force attacks
    

### Remediation

Filter entity fields at the DTO layer to return only the necessary fields required by the frontend.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sensitive Information Disclosure via /auth/info in eladmin ≤ 2.7(CWE-200) #885