CVE-2025-60949
Information Disclosure via Unauthenticated Access to Census CSWeb Config
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| csprousers | csweb | 8.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Census CSWeb version 8.0.1 has a vulnerability where the "app/config" directory can be accessed via HTTP in certain deployments. This allows a remote attacker, without needing to authenticate, to send requests to configuration files and potentially obtain sensitive information or secrets contained within those files. This issue was fixed in version 8.1.0 alpha.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows an unauthenticated remote attacker to access configuration files and extract sensitive secrets. Such leaked secrets could lead to unauthorized access, data breaches, or further exploitation of the system. The CVSS v3.1 base score of 9.1 indicates a high severity with high confidentiality and integrity impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know