306 – Insecure object reference - Files

Description

An unauthorized user can access or manipulate information of other users just by knowing the identifier that differentiates them, since the application does not validate the necessary permissions to access.

Impact

Access or manipulate the victims account information by knowing a victims user ID.

Recommendation

Verify that the user who is trying to access the information has the necessary permissions to access.

Threat

Unauthorized user from local network.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19