Application Leaks Sensitive Data
search cancel

Application Leaks Sensitive Data

book

Article ID: 408938

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Application Leaks Sensitive Data:
Impact: Confidentiality, Integrity

API affected:
/dojoviews/ViewConfigCache

Vulnerability summary:
The application exposes a list of active usernames, including administrators, in a background JSON response.

Vulnerability background:
Web applications often use background requests (e.g. via AJAX or Fetch API) to dynamically update content without reloading the page. These requests can return large JSON structures containing data used by the front-end. If such responses include sensitive or excessive information, they may unintentionally aid attackers in reconnaissance or privilege escalation efforts.

Vulnerability details:
While loading the main dashboard, the application issues a POST request to the /dojoviews/ViewConfigCache endpoint. The response includes a large JSON object that contains a full list of existing user account names, including usernames with administrative privileges. This information is accessible to any authenticated user, increasing the risk of targeted attacks such as credential stuffing or privilege abuse.

Remediation advice:
Limit the data returned by backend APIs to only what is strictly necessary for the requesting user’s role and interface. Avoid exposing sensitive internal details such as usernames, especially for privileged accounts, in client-facing responses. Implement role-based access controls on API endpoints and perform regular audits of data exposure in application responses.

PFB evidence captured from web browser developer tool while accessing notification dashboard or topology from FE:

Environment

All supported releases of Watch4net|M&R

Resolution

  • The behavior observed where user details, including those with elevated privileges, are returned in a JSON response is aligned with the current design of the feature. This data is accessible only to authenticated users, and there is no exposure to unauthorized parties outside of valid sessions.

  • It is recommend switching to HTTPS to ensure encrypted communication and prevent potential interception of sensitive information.

  • Role based data filtering is not available for this feature by design. As a result, all user records are returned, regardless of the viewer’s role. Addressing this request would require a significant design change and should be treated as an enhancement. As M&R is end of availability product, any enhancements are not allowed.

 

NOTE:

  • Even when using HTTPS, the response data will remain visible through browser developer tools for authenticated users. However, HTTPS ensures that any data transmitted over the network is encrypted, preventing it from being intercepted and read in plain text by unauthorized third parties.

  • To clarify, switching to HTTPS is not presented as a solution to the specific concern raised. It is a best-practice recommendation aimed at securing data in transit through encryption.

Powered by Wolken Software