417 – Account Takeover

Description

By exploiting one or several application vulnerabilities it is possible to take control over a user account and perform action on his behalf

Impact

- Affect the traceability and non-repudiation of the user's actions. - Deny the access of a legitimate user to its own account - Obtain potentially confidential information from the user account

Recommendation

Define account recovery mechanisms, validating that the requester is the account owner.

Threat

Authenticated attacker from the Internet

Expected Remediation Time

100 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: A

Requirements

• 266 - Disable insecure functionalities
• 238 - Establish safe recovery

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Scala
• Typescript

Last updated

2024/02/21