In version 0.0.14 of transformeroptimus/superagi, the API endpoint /api/users/get/{id} returns the users password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.