270 – Insecure functionality - File Creation

Description

For an authenticated user with a profile that restricts certain functions, the restriction is performed on the front end by disabling the corresponding button, which can be bypassed and the query is processed when it is sent.

Impact

Access customer information on a massive scale.

Recommendation

Verify on the server side that the user making the request has sufficient permissions.

Threat

Authenticated user from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 266 - Disable insecure functionalities

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/18