CVE-2023-48126: 
NixOS vulnerability analysis and mitigation

An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. The vulnerability was discovered in the mini-app's response from www.l-members.me/miniapp/members_card endpoint, which exposes the critical channel access token credential to client-side users (GitHub Report).

The vulnerability is classified as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200). The issue occurs when accessing the mini-app through Line application, where the response from www.l-members.me/miniapp/members_card endpoint contains the channel access token in plaintext. This token is used for securing communication channels within Line and should be kept secret according to official documentation. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The exposure of the channel access token allows attackers to broadcast malicious messages through the compromised channel. This could lead to users receiving unauthorized notifications containing malicious website links, fraudulent information, or other harmful content. The vulnerability affects all users of the Luxe Beauty Clinic mini-app (GitHub Report).