CVE-2024-57716: 
C# vulnerability analysis and mitigation

An information disclosure vulnerability exists in trenoncourt AutoQueryable version 1.7.0 that allows a remote attacker to obtain sensitive information via the Unselectable function. The vulnerability was discovered in July 2024 and assigned CVE-2024-57716 (Vulnerability Research).

The vulnerability exists in the Unselectable property functionality of AutoQueryable. Even when data is marked as unselectable using the UnselectableProperties attribute, attackers can still access the protected information by using the values as filters in queries. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating remote exploitability with no privileges required (CISA-ADP).

The vulnerability allows unauthorized access to sensitive data that was intended to be protected by the Unselectable tag. Attackers can extract information from fields marked as unselectable by using filter operations such as contains, startswith, and endswith. This could lead to exposure of sensitive information like passwords or other protected data (Vulnerability Research).

As of the current data, there is no official patch available for this vulnerability. The best practice for protecting sensitive data is to use DTO (Data Transfer Object) projection instead of relying on the Unselectable property (AutoQueryable Docs).