Login Sign Up

CVE-2023-39739

8.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in REGINA SWEETS&BAKERY Line 13.6.1 allows attackers to obtain the client secret, which can then be used to steal the channel access token. Attackers can use this token to send unauthorized broadcast messages through the LINE messaging platform. This affects organizations using the vulnerable REGINA SWEETS&BAKERY software integrated with LINE services.

💻 Affected Systems

Products:
  • REGINA SWEETS&BAKERY Line
Versions: 13.6.1
Operating Systems: Not specified
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the LINE integration component of REGINA SWEETS&BAKERY software.

📦 What is this software?

Regina Sweets\&bakery by Linecorp

View all CVEs affecting Regina Sweets\&bakery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of the LINE channel, sending malicious broadcast messages to all subscribers, potentially spreading malware, phishing links, or damaging the organization's reputation.

🟠

Likely Case

Attackers send spam or fraudulent messages to subscribers, causing reputational damage and potential financial losses from customer complaints or regulatory fines.

🟢

If Mitigated

Unauthorized message sending is prevented, but the client secret exposure still represents an information disclosure risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The client secret leakage appears to be straightforward to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact REGINA SWEETS&BAKERY vendor for updated version or security guidance.

🔧 Temporary Workarounds

Regenerate LINE Channel Credentials

all

Immediately regenerate the LINE channel access token and client secret in the LINE Developer Console to invalidate any stolen credentials.

1. Log into LINE Developer Console
2. Navigate to your channel settings
3. Regenerate both access token and channel secret

Disable LINE Integration

all

Temporarily disable the LINE integration feature in REGINA SWEETS&BAKERY until a fix is available.

Disable LINE messaging features in the software configuration

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system from internet access
  • Monitor LINE API logs for unauthorized broadcast message attempts

🔍 How to Verify

Check if Vulnerable:

Check if using REGINA SWEETS&BAKERY Line version 13.6.1 with LINE integration enabled.

Check Version:

Check software version in REGINA SWEETS&BAKERY administration interface

Verify Fix Applied:

Verify that new LINE channel credentials have been generated and old ones are no longer functional.

📡 Detection & Monitoring

Log Indicators:

  • Unusual broadcast message activity in LINE channel logs
  • Multiple failed authentication attempts to LINE API

Network Indicators:

  • Unexpected outbound connections to LINE API endpoints
  • Unusual message volume from your LINE channel

SIEM Query:

source="line_api" AND (event_type="broadcast" AND user NOT IN [authorized_users])

📊 Metadata

CVE ID: CVE-2023-39739
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-200
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39739, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)