080 – Business information leak - Customers or providers

Description

Sensitive information such as customer or providers lists, emails, phone numbers or identifiers can be obtained from the application.

Impact

Obtain sensitive information to craft new attack vectors.

Recommendation

Implement security controls to ensure that the leaked information can be accessed only by authenticated and authorized users.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: L
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Scala
• Typescript

Last updated

2024/02/12