036 – ViewState not encrypted
Description
The state information of application forms that is stored in the ViewState is not encrypted.
Impact
Leak app state information through the ViewState value.
Recommendation
Encrypt the ViewState in the application configuration.
Threat
Anonymous attacker with local access to the victims browser.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: L
- Attack complexity: H
- Attack Requirements: N
- Privileges required: N
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: X