CVE-2022-32984

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-32984

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32984.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-32984

Published

2023-01-31T22:15:08Z

Modified

2026-03-14T11:46:39.412225Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.

References

https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/

Affected packages

Git / github.com/btcpayserver/btcpayserver

Affected ranges

Type

GIT

Repo

https://github.com/btcpayserver/btcpayserver

Events

Introduced

d6e3fb46eebf2662b6f2142cccc4fb8e865a8396

Last affected

cfbf081caca14333e1acaa4cd3e97ab2a0d184cd

Database specific

{
    "versions": [
        {
            "introduced": "1.3.0"
        },
        {
            "last_affected": "1.5.3"
        }
    ]
}

Affected versions

BTCPayServer.*

BTCPayServer.Client/v1.5.0

BTCPayServer.Client/v1.6.0

BTCPayServer.Client/v1.7.0

v1.*

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.5.0

v1.5.1

v1.5.2

v1.5.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-32984.json"