Laravel Telescope Unrestricted Access

high Web App Scanning Plugin ID 114405

Synopsis

Laravel Telescope Unrestricted Access

Description

Laravel Telescope provides an overview of requests entering your application, exceptions, log entries, database queries, pending tasks, mail, notifications, cache operations, scheduled tasks, variable flushes and much more. If an attacker gains access to this dashboard, it would be possible to access a great deal of sensitive information.

Solution

Authentication should be enforced to prevent unauthorized access to the Laravel Telescope Dashboard.

See Also

https://github.com/laravel/telescope

https://laravel.com/docs/11.x/telescope

Plugin Details

Severity: High

ID: 114405

Type: remote

Published: 9/3/2024

Updated: 9/3/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*

Reference Information

CWE: 200, 284

OWASP: 2010-A6, 2010-A8, 2013-A5, 2013-A7, 2013-A9, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A6

WASC: Information Leakage, Insufficient Authorization

CAPEC: 116, 13, 169, 19, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 441, 472, 478, 479, 497, 502, 503, 508, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 573, 574, 575, 576, 577, 578, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1, 4.0.2-8.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5.8