Summary #

Invicti detected that the web application is configured to use the Config Browser plugin. The Config Browser Plugin is a tool used to view the web application configuration at runtime. This plugin should be used only during development phase and access to it should be strictly restricted in production.

Impact #

The Config Browser plugin is exposing sensitive information that could help an attacker to conduct further attacks.

Actions To Take #

The Config Browser plugin can be disabled by removing the .jar file (usually named struts2-config-browser-plugin-*.jar) from WEB-INF/lib directory.

Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo