Web.config File Information Disclosure

Medium Web Application Scanning Plugin ID 98594

Synopsis

Web.config File Information Disclosure

Description

An information disclosure vulnerability exists in the remote web server due to the disclosure of the web.config file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive configuration information.

Solution

Ensure proper restrictions are in place, or remove the file if the file is not required.

Plugin Details

Severity: Medium

ID: 98594

Type: remote

Published: 2019/05/14

Updated: 2019/05/14

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information

CWE: 425

WASC: Predictable Resource Location

OWASP: 2010-A4, 2013-A4, 2017-A5