287 – Insecure object reference - Corporate information

Description

It is possible to include or modify employee information of third party companies by uploading an excel file and changing the payrollNumber. An attacker can initiate a request to upload an excel file containing information on existing or non-existent employees and change the company identifier (payrollnumber) to one to which he does not have access. In this way the information sent is stored in the third party company, associating new employees or updating the information of those that already existed.

Impact

- Start a file upload process. - Change the payrollNumber to not own. - Upload or modify information to a third party company.

Recommendation

Verify that the user who is trying to modify the information has the necessary permissions to access.

Threat

Unauthorized user with access to corporate information.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): H
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Elixir
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/19