Insecure object reference - Financial information
Description
Although the requests for inquiry of expenses and movements associated with a credit card send the encrypted product number, it is possible to make the inquiry from the session of an account other than the one associated with the credit card.
Impact
Obtain expense information from other users.
Recommendation
Verify that the user who is trying to access the information has the necessary permissions to do so.
Threat
Authorized user from the Internet with access to the encrypted product number.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
176 - Restrict system objectsScore
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
L
User interaction
N
Confidentiality (VC)
L
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N