013 – Insecure object reference

Description

The systems authorization mechanism does not prevent one user from accessing another users data by modifying the key value that identifies it.

Impact

Obtain, modify or delete information from other users.

Recommendation

- Validate that unprivileged users can access and modify only their own information. - Handle the user operations using session objects.

Threat

Authenticated user from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/06