127 – Lack of data validation - Type confusion

Description

A field is interpreted on the server-side, although it indicates that it only accepts numbers, it allows values in the form 0xff.

Impact

- Get internal information about the operation of the system. - Inject code and get it interpreted by the server.

Recommendation

Validate on the server-side the data types that are entered but prevent them from being interpreted.

Threat

Authorized user from intranet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 173 - Discard unsafe inputs
• 320 - Avoid client-side control enforcement
• 342 - Validate request parameters

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/13