Skip to main content

Insecure functionality - Fingerprint


The application allows unsolicited user data updates.


Update and consult information related to the user.


Make sure that the fields to be updated are the same as those requested from the user.


Authenticated attacker on the Internet.

Expected Remediation Time

⌚ 30 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: P
  • Remediation level: W
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:W/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.0
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application securely ensures the field the user is trying to update

const updateInfo = (req, res) => {
if (isValidUser(req.body.user)) {
if (validateToken == req.body.token){
const fieldToUpdate = req.body.field;
const updatedField = req.body.infoChange;
//Change the correct user field (Code to validate/clean input data must also be included)
updateUser(fieldtoUpdate, updatedField);

Non compliant code

The application does not perform server side validation to confirm the field the user is trying to change

const updateInfo = (req, res) => {
if (isValidUser(req.body.user)) {
if (validateToken == req.body.token){
const updatedField = req.body.infoChange;
updateUser("password", updatedField);