Business information leak - Firestore
Description
When attempting to activate a plan, it is evident that the responses to firestore API requests contain user credentials.
Impact
Obtain credentials from other services.
Recommendation
Ensure that responses to requests do not contain confidential information.
Threat
Anonymous attacker from the Internet.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
176 - Restrict system objects177 - Avoid caching and temporary files261 - Avoid exposing sensitive information300 - Mask sensitive dataFixes
Score
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
N
User interaction
N
Confidentiality (VC)
L
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
P
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P