CVE-2023-48129: 
NixOS vulnerability analysis and mitigation

An issue in kimono-oldnew mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. The vulnerability was discovered and assigned CVE-2023-48129, classified as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200). The vulnerability affects the Line application version 13.6.1 and has received a CVSS v3.1 base score of 5.4 (MEDIUM) (NVD).

The vulnerability exists in the mini-app's response from www.l-members.me/miniapp/members_card endpoint, which exposes the channel access token to the client-side. The channel access token is a critical credential used for securing communication channels within Line. This token is transmitted in the request header 'Authorization' when making requests to api.line.me/message/v3/notifier/token. The exposure of this token violates Line's security requirements, as it should be strictly protected from unauthorized access (GitHub Report).

The vulnerability affects all users of the kimono-oldnew mini-app. When exploited, attackers can utilize the exposed channel access token to broadcast malicious messages through the Line platform, including potentially harmful website links and fraudulent information (GitHub Report).