Description

The __VIEWSTATE parameter is not encrypted for one or more pages. To reduce the chance of someone intercepting the information stored in the ViewState, it is good design to encrypt the ViewState.

Remediation

Turn on the encryption mode for the view state. Consult web references for more information, taking into consideration ASP.NET version

References

Page.ViewStateEncryptionMode Property

Cryptographic Improvements in ASP.NET 4.5, pt. 2

Working with ViewState

Related Vulnerabilities

WordPress Plugin S3Bubble Cloud Video With Adverts & Analytics Arbitrary File Download (0.7)

WordPress Plugin Memphis Documents Library Arbitrary File Download (3.1.5)

Unrestricted access to Caddy API interface

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6610)

Plone CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-7060)

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure