CVE-2020-29041 - A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the so

CVE-2020-29041

Summary

A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments.

References

https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/
https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/

Vulnerable Configurations

cpe:2.3:a:sesame-system:web-sesame:2020.1.1.3375:*:*:*:*:*:*:*
cpe:2.3:a:sesame-system:web-sesame:2020.1.1.3375:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 13-01-2021 - 19:22)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

misc

https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/
https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/

Last major update

13-01-2021 - 19:22

Published

06-01-2021 - 21:15

Last modified

13-01-2021 - 19:22