Autocaliweb Exposure of Sensitive API Keys Vulnerability
Vulnerability
A vulnerability in Autocaliweb prior to version 0.8.3 allows the debug pack to unintentionally expose sensitive configuration data, including API keys. This issue arises because the 'to_dict()' method, responsible for serializing configuration for the debug pack, fails to properly filter out sensitive information such as API tokens. As a result, users may unknowingly share debug packs containing their private API keys.
Impact
This vulnerability can lead to unauthorized access to services connected via the exposed API keys, potentially allowing misuse of those services, access to user data on third-party platforms, or incurring costs on behalf of the user.
Reproduction
To reproduce this vulnerability, generate a debug package from the Autocaliweb Admin page. After downloading and unzipping the package, open the 'settings.txt' file, which will contain the raw API keys. This demonstrates how the vulnerability exposes sensitive information that could be shared with unauthorized parties.
Remediation
Users are advised to update Autocaliweb to version 0.8.3 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.