Description

This web application is configured with the serviceMetadata property httpGetEnabled / httpsGetEnabled set to true. When configured this way, the WCF service metadata (e.g. WSDL) will be publicly accessible.

Remediation

It's recommended to disable service metadata publishing by setting the serviceMetadata property httpGetEnabled / httpsGetEnabled to false. 

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />

References

ServiceMetadataBehavior

Related Vulnerabilities

WordPress user registration enabled

Apache stronghold-info enabled

PHP allow_url_include Is Enabled

Unsupported Hash Detected in Content Security Policy (CSP)

XML external entity injection (variant)

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration