CVE-2022-32984

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/	Vendor Advisory
https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*

History

27 Mar 2025, 19:15

Type	Values Removed	Values Added
CWE		CWE-200

21 Nov 2024, 07:07

Type	Values Removed	Values Added
Summary		(es) BTCPay Server v1.3.0 a v1.5.3 permite a un atacante remoto obtener información confidencial cuando se expone una aplicación de punto de venta pública. La información confidencial, que se encuentra en el código fuente HTML, incluye el xpub de la tienda. Además, si la tienda no utiliza el nodo Lightning interno, las credenciales de un nodo Lightning quedan expuestas.
References	~~() https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/ - Vendor Advisory~~	() https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/ - Vendor Advisory

01 Feb 2023, 13:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-01-31 22:15

Updated : 2025-03-27 19:15

NVD link : CVE-2022-32984

Mitre link : CVE-2022-32984

CVE.ORG link : CVE-2022-32984

JSON object : View

Products Affected

btcpayserver

btcpay_server

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2022-32984", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-01-31T22:15:08.000", "references": [{"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed."}, {"lang": "es", "value": "BTCPay Server v1.3.0 a v1.5.3 permite a un atacante remoto obtener informaci\u00f3n confidencial cuando se expone una aplicaci\u00f3n de punto de venta p\u00fablica. La informaci\u00f3n confidencial, que se encuentra en el c\u00f3digo fuente HTML, incluye el xpub de la tienda. Adem\u00e1s, si la tienda no utiliza el nodo Lightning interno, las credenciales de un nodo Lightning quedan expuestas."}], "lastModified": "2025-03-27T19:15:44.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8195AB97-8ABD-4422-81E8-8D0D4B97268A", "versionEndIncluding": "1.5.3", "versionStartIncluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}