xboot icon indicating copy to clipboard operation
xboot copied to clipboard
verified publisher icon Exrick

Sensitive Info Disclosure ( unauthenticated Spring Boot Admin & actuator)

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

The latest version (v3.3.4) of xboot allows unauthenticated access to both Spring Boot Admin and Spring Actuator, resulting in the exposure of extensive server configuration information and environment variables.

POC

http://127.0.0.1:8888/xboot/admin/wallboard
http://127.0.0.1:8888/xboot/actuator
Image Image

NinjaGPT avatar Jul 22 '25 12:07 NinjaGPT