220 – Business information leak - Token

Description

Some of the information of the user like the username/email and full name is included in the data contained in the session token.

Impact

Obtain name and emails of users.

Recommendation

Avoid to include sensitive user information in the session token.

Threat

External attacker with access to tokens.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Scala
• Typescript

Last updated

2024/02/16