307 – Insecure object reference - Data

Description

It is possible to access information about other stores, obtain members registered in other stores, modify members and add members from other stores that a user has not been assigned to just by knowing the identifier that differentiates them, since the application does not validate the necessary permissions to access.

Impact

- Obtain membership information from other stores. - Add members to other stores. - Modify partners to other stores. - Unsubscribe a partner.

Recommendation

Verify that the user who is trying to access the information has the necessary permissions to do so.

Threat

User authenticated from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19