Invicti identified a source code disclosure (Tomcat), which discloses server-side source code.

An attacker might obtain server-side source code of the web application which can contain sensitive data, such as database connection strings, usernames and passwords, along with the technical and business logic of the application.

Depending on the source code, database connection strings, username and passwords, the internal workings and business logic of application might be revealed. With such information, an attacker can mount the following types of attacks:

• Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possible to read, update or delete arbitrary data from the database.
• Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
• Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

1. Ensure that the server has all the current security patches applied.
2. Set the allowLinking attribute to false on the Tomcat configuration for Windows systems.