369 – Insecure object reference - User deletion

Description

The system does not have protections that prevent the removal of users from the application, leaving it inoperative and affecting its integrity to a high degree. It is even evident that once the user is deleted, the session is not deleted and still allows the user to continue browsing, which should also be corrected.

Impact

- Remove all users from the platform. - Affect other processes and connections that depend on the existence of users.

Recommendation

The respective controls must be established to mitigate any functionality that is foreign to the current role.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): H
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/20