The dfir-iris iris-web platform, used for collaborative incident response, improperly returns sensitive information to users in versions before 2.4.28. This behavior corresponds to CWE-201, where sensitive data is inserted into data sent to clients unnecessarily. The vulnerability has a CVSS score of 6.5 (medium severity) with network attack vector, low attack complexity, requiring low privileges and no user interaction, and impacts confidentiality but not integrity or availability. Version 2.4.28 contains a patch that resolves this issue. No cloud service is involved, and no vendor advisory explicitly states remediation details beyond the version update.

The vulnerability allows unauthorized disclosure of sensitive information to users of the iris-web platform, potentially exposing confidential data during incident response collaboration. The impact is limited to confidentiality without affecting integrity or availability. There are no reports of active exploitation in the wild.

Upgrade dfir-iris iris-web to version 2.4.28 or later, which contains a patch addressing this vulnerability. Since no additional vendor advisory details are provided, check official vendor resources for any further remediation guidance. Patch status is confirmed by the version update; no other mitigations are specified.