Insecure object reference
Description
The systems authorization mechanism does not prevent one user from accessing another users data by modifying the key value that identifies it.
Impact
Obtain, modify or delete information from other users.
Recommendation
- Validate that unprivileged users can access and modify only their own information. - Handle the user operations using session objects.
Threat
Authenticated user from the Internet.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
176 - Restrict system objectsScore
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
L
User interaction
N
Confidentiality (VC)
L
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
P
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P