Lack of data validation - Content Spoofing
Description
An unauthorized attacker generating a token without credentials, due to a misconfiguration in the file upload can replace files already uploaded by a client since the application does not validate if these were already sent in the file upload request.
Impact
Replace information sent by customers.
Recommendation
Enable a mechanism to identify the status of the procedure and restrict access to objects to authorized users.
Threat
Unauthorized external attacker with process ID.
Expected Remediation Time
⏱️ 60 minutes.