294 – Insecure service configuration - OTP

Description

The OTP mock is still enabled in the application.

Impact

- Attacker with information from a user of the application gets to the point where the OTP is requested. - Enters default OTP and successfully logs in to the application.

Recommendation

Remove the OTP mock so that you can only login to the application with the OTP sent to the email.

Threat

Unauthorized user with access to the application.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 139 - Set minimum OTP length
• 266 - Disable insecure functionalities

Fixes

• Dart
• Python

Last updated

2024/02/19