cbcvebase.
CVE-2023-27587
published 2023-03-13

CVE-2023-27587: ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit…

PriorityP272medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.86%
88.8th percentile
ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key. This has been patched in commit 8533b01. Upgrading should be accompanied by deleting the current GCP API key and issuing a new one. There are no known workarounds.

Affected

2 ranges
VendorProductVersion rangeFixed in
readtomyshoe_projectreadtomyshoe< 2023-03-132023-03-13
rozbbreadtomyshoe<= 0.2.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://texttospeech.googleapis.com/v1beta1/text:synthesize?key=
path/api/add-article-by-text
commandPOST /api/add-article-by-text HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/json { "title":"Kernsicherheitstest", "body":"Kernsicherheitstest" }
  • Trigger the vulnerability by sending a POST request to /api/add-article-by-text with a JSON body containing 'title' and 'body' fields; a vulnerable instance returns HTTP 500 with Content-Type: text/plain and a response body containing both 'Caused by:' and 'TTS request failed', which may also leak the full Google Cloud TTS URL including the API key.
  • Look for HTTP 500 responses with Content-Type: text/plain containing the string 'https://texttospeech.googleapis.com/v1beta1/text:synthesize?key=' in the response body, which indicates a leaked GCP API key.
  • Response body keywords 'Caused by:' and 'TTS request failed' together on a 500 response to /api/add-article-by-text are strong indicators of a vulnerable ReadToMyShoe instance.
  • ·The vulnerability exists only in ReadToMyShoe versions prior to commit 8533b01; patched instances will not leak the API key in error messages.
  • ·Even after patching, any previously exposed GCP API key must be revoked and replaced, as it may have already been leaked to authenticated users who triggered the error.
  • ·Exploitation requires an authenticated (low-privilege) user account; the CVSS vector specifies PR:L (privileges required: low).

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.