Technical information leak - Credentials
Description
When the login page is accessed, a request is triggered in whose response includes an unminified and non-obfuscated script in which the BotChat Direct Line Secret Key can be read in plain text.
Impact
Obtain the direct line secret key and connect directly to the application bot.
Recommendation
- Minify and obfuscate binaries. - Use a vault service or environment variables to protect sensitive information.
Threat
Anonymous attacker consults the login page.
Expected Remediation Time
⏱️ 60 minutes.
Score
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
N
User interaction
N
Confidentiality (VC)
L
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N