288 – Insecure object reference - Financial information

Description

Although the requests for inquiry of expenses and movements associated with a credit card send the encrypted product number, it is possible to make the inquiry from the session of an account other than the one associated with the credit card.

Impact

Obtain expense information from other users.

Recommendation

Verify that the user who is trying to access the information has the necessary permissions to do so.

Threat

Authorized user from the Internet with access to the encrypted product number.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Ruby
• Scala
• Typescript

Last updated

2024/02/19