When doing some REST API calls, some of the internal field attribute codes in URL may become available to be seen. Is this a vulnerability?
Environment
Any Supported Clarity Release
Resolution
This is by design.
There are no plans to make any changes to how those are displayed
The names and labels of Clarity attributes are considered to be metadata and not sensitive data.
Most of the Clarity requests where the attribute codes can be seen are only available with users permissions, such as API -Access
We recommend making sure this permission is granted accordingly only to users who are supposed to have it
If any of the attribute names are something you consider sensitive, we recommend using more generic custom attribute names instead
User-defined / or custom attributes created through Studio are controlled by your administrator and they can ensure the attribute label and attribute id and attribute API are defined in a generic manager as to not expose sensitive information