CVE-2023-48131: 
NixOS vulnerability analysis and mitigation

An issue in CHIGASAKI BAKERY mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. The vulnerability was discovered in the mini-app's response from www.l-members.me/miniapp/members_card endpoint, which exposes the critical channel access token credential to client-side users (GitHub Report).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). The issue occurs when accessing the mini-app through Line's platform at liff.line.me/1657503542-rxRXgW2X. The channel access token, which should be kept secret according to Line's official documentation, is exposed in the response of the www.l-members.me/miniapp/members_card request (GitHub Report, NVD).

The vulnerability affects all users of the CHIGASAKI BAKERY mini-app. Attackers who obtain the exposed channel access token can exploit it to broadcast malicious messages through the Line platform, including potentially fraudulent information and malicious website links (GitHub Report).

The vulnerability affects Line version 13.6.1. Users should ensure they are using the latest version of the Line application and the CHIGASAKI BAKERY mini-app. The proper mitigation would involve server-side changes to prevent the exposure of the channel access token in client-side responses (NVD).