342 – Technical information leak - Alert
Description
Technical information is obtained from the application due to the use of the alert() function (javascript) whose output will always be displayed on the client side. In development environment it is acceptable to use this function to see errors, but using it in production environment is the same as exposing yourself to show sensitive information of the application.
Impact
Open the browser console and send real and fake requests to the application, waiting for it to display console information.
Recommendation
Completely remove the console.log(), alert() function from all javascript files in production environments.
Threat
Anonymous user from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P