CVE-2023-48130: 
NixOS vulnerability analysis and mitigation

An issue in GINZA CAFE mini-app on Line v13.6.1 was discovered that exposes the channel access token to unauthorized actors. The vulnerability was assigned CVE-2023-48130 and is classified as an information exposure vulnerability (CWE-200). The vulnerability affects users of the GINZA CAFE mini-app on the Line platform (GitHub Report).

The vulnerability stems from the exposure of the critical channel access token in the response of the request to 'www.l-members.me/miniapp/members_card'. The channel access token, which is meant to secure communication channels within Line, is exposed client-side. This token is used in the request header 'Authorization' for 'https://api.line.me/message/v3/notifier/token' and should be strictly protected. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The exposure of the channel access token allows attackers to potentially broadcast malicious messages through the Line platform. This could lead to users receiving unauthorized communications including malicious website links and fraudulent information. The vulnerability affects all users of the GINZA CAFE mini-app (GitHub Report).