Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Botpress - Credential Disclosure via Twilio Webhook Handler
Vulnerability Description
The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type
N/A
Vulnerability Title
Twilio integration 安全漏洞
Vulnerability Description
Twilio integration是Twilio公司的一个支持通信服务接入与消息交互能力集成的接口组件。 Twilio integration存在安全漏洞,该漏洞源于Webhook处理程序未验证X-Twilio-Signature,可能导致攻击者伪造Webhook载荷并获取明文凭据,从而完全控制Twilio账户。
CVSS Information
N/A
Vulnerability Type
N/A