305 – Security controls bypass or absence - Data creation

Description

It is possible to bypass the restriction that only allows the creation of four beneficiaries when generating a policy, allowing the generation of multiple beneficiaries associated to a request, affecting the integrity of the data sent.

Impact

Associate multiple users without restriction.

Recommendation

Validate on the server side the types of data that are entered into different types of fields in the application.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 062 - Define standard configurations
• 266 - Disable insecure functionalities

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19