328 – Insecure object reference - Session management

Description

It is possible to close active sessions of other users by knowing their e-mail.

Impact

Close user sessions in the application.

Recommendation

Validate that the users email is not altered or replaced by another users email in the logout process.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

45 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): N
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19