Description

This web application is storing some connection strings in plaintext inside the web.config file. This is not recommended as an attacker might gain access to this file using a path traversal (or similar) vulnerabilities. It's recommended to use Protected Configuration to improve the security of your application by encrypting sensitive information that is stored in the web.config file.

Remediation

ASP.NET provides a feature called Protected Configuration, which enables you to encrypt sensitive information in a configuration file. It's recommended to use this feature to encrypt sensitive information that is stored in the web.config file.

References

Encrypting Configuration Information Using Protected Configuration

Connection Strings and Configuration Files

Related Vulnerabilities

Weak Secret is Used to Sign JWT

Wildcard Detected in Port Portion of Content Security Policy (CSP) Directive

WebPageTest Unauthorized Access Vulnerability

Unrestricted access to Prometheus

WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Information Disclosure (9.7.1)

Severity

High

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Information Disclosure