Search
Find a vulnerability
Search criteria
2 vulnerabilities found for groov View Server by Opto 22
CVE-2025-13084 (GCVE-0-2025-13084)
Vulnerability from nvd – Published: 2025-11-26 17:39 – Updated: 2025-11-26 18:59
VLAI
EPSS
VEX
Title
Opto 22 groov View Exposure of Sensitive Information Through Metadata
Summary
The users endpoint in the groov View API returns a list of all users and
associated metadata including their API keys. This endpoint requires an
Editor role to access and will display API keys for all users,
including Administrators.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Opto 22 | groov View Server |
Affected:
R1.0a , ≤ R4.5d
(custom)
|
|
| Opto 22 | GRV-EPIC-PR1 Firmware |
Affected:
0 , ≤ 4.0.3
(custom)
|
|
| Opto 22 | GRV-EPIC-PR2 Firmware |
Affected:
0 , ≤ 4.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T18:59:01.900699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T18:59:31.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "groov View Server",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "R4.5d",
"status": "affected",
"version": "R1.0a",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GRV-EPIC-PR1 Firmware",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GRV-EPIC-PR2 Firmware",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:groov_view_server:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "r4.5d",
"versionStartIncluding": "r1.0a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:grv-epic-pr1_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:grv-epic-pr2_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The users endpoint in the groov View API returns a list of all users and\n associated metadata including their API keys. This endpoint requires an\n Editor role to access and will display API keys for all users, \nincluding Administrators."
}
],
"value": "The users endpoint in the groov View API returns a list of all users and\n associated metadata including their API keys. This endpoint requires an\n Editor role to access and will display API keys for all users, \nincluding Administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T17:39:37.931Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91325"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Opto 22 has published a patch to address this vulnerability and \nrecommends that users upgrade to groov View Server for Windows Version \nR4.5e and GRV-EPIC Firmware Version 4.0.3. Additional information is \navailable from Opto 22 \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.opto22.com/support/resources-tools/knowledgebase/kb91325\"\u003ehere\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Opto 22 has published a patch to address this vulnerability and \nrecommends that users upgrade to groov View Server for Windows Version \nR4.5e and GRV-EPIC Firmware Version 4.0.3. Additional information is \navailable from Opto 22 here https://www.opto22.com/support/resources-tools/knowledgebase/kb91325 ."
}
],
"source": {
"advisory": "ICSA-25-329-04",
"discovery": "EXTERNAL"
},
"title": "Opto 22 groov View Exposure of Sensitive Information Through Metadata",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13084",
"datePublished": "2025-11-26T17:39:37.931Z",
"dateReserved": "2025-11-12T19:21:15.811Z",
"dateUpdated": "2025-11-26T18:59:31.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13084 (GCVE-0-2025-13084)
Vulnerability from cvelistv5 – Published: 2025-11-26 17:39 – Updated: 2025-11-26 18:59
VLAI
EPSS
VEX
Title
Opto 22 groov View Exposure of Sensitive Information Through Metadata
Summary
The users endpoint in the groov View API returns a list of all users and
associated metadata including their API keys. This endpoint requires an
Editor role to access and will display API keys for all users,
including Administrators.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Opto 22 | groov View Server |
Affected:
R1.0a , ≤ R4.5d
(custom)
|
|
| Opto 22 | GRV-EPIC-PR1 Firmware |
Affected:
0 , ≤ 4.0.3
(custom)
|
|
| Opto 22 | GRV-EPIC-PR2 Firmware |
Affected:
0 , ≤ 4.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T18:59:01.900699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T18:59:31.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "groov View Server",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "R4.5d",
"status": "affected",
"version": "R1.0a",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GRV-EPIC-PR1 Firmware",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GRV-EPIC-PR2 Firmware",
"vendor": "Opto 22",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:groov_view_server:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "r4.5d",
"versionStartIncluding": "r1.0a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:grv-epic-pr1_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opto_22:grv-epic-pr2_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The users endpoint in the groov View API returns a list of all users and\n associated metadata including their API keys. This endpoint requires an\n Editor role to access and will display API keys for all users, \nincluding Administrators."
}
],
"value": "The users endpoint in the groov View API returns a list of all users and\n associated metadata including their API keys. This endpoint requires an\n Editor role to access and will display API keys for all users, \nincluding Administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T17:39:37.931Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91325"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Opto 22 has published a patch to address this vulnerability and \nrecommends that users upgrade to groov View Server for Windows Version \nR4.5e and GRV-EPIC Firmware Version 4.0.3. Additional information is \navailable from Opto 22 \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.opto22.com/support/resources-tools/knowledgebase/kb91325\"\u003ehere\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Opto 22 has published a patch to address this vulnerability and \nrecommends that users upgrade to groov View Server for Windows Version \nR4.5e and GRV-EPIC Firmware Version 4.0.3. Additional information is \navailable from Opto 22 here https://www.opto22.com/support/resources-tools/knowledgebase/kb91325 ."
}
],
"source": {
"advisory": "ICSA-25-329-04",
"discovery": "EXTERNAL"
},
"title": "Opto 22 groov View Exposure of Sensitive Information Through Metadata",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13084",
"datePublished": "2025-11-26T17:39:37.931Z",
"dateReserved": "2025-11-12T19:21:15.811Z",
"dateUpdated": "2025-11-26T18:59:31.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}