451 – OData injection
Description
OData injection allows an attacker to manipulate the query parameters of an OData API (such as $filter, $orderby, etc.) to access, modify, or exfiltrate unauthorized data by exploiting insufficient validation or filtering.
Impact
- Exposure of sensitive data (users, emails, hashed passwords, etc.) - Bypass of access controls - Modification of data (in extreme cases) - Execution of unintended logic in the backend
Recommendation
- Validate and sanitize all OData parameters. - Restrict the allowed OData operators. - Use libraries that correctly implement OData parsing. - Enforce access control on the backend, without relying solely on client-side filters.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P