Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
What type of information could be disclosed by this vulnerability? This vulnerability could allow an attacker with network access to the exposed Azure IoT Explorer API port to view sensitive data that the application makes available without authentication. Depending on how the application is used, this may include file contents from the host system, directory listings, IoT device data or configuration details, and metadata retrieved through server-side request forgery (SSRF), such as Azure Instance Metadata Service (IMDS) information.
<a href="https://www.linkedin.com/in/hay-mizrachi/">Hay Mizrachi</a> with <a href="https://microsoft.com/">Microsoft</a>