Skip to main content

Insecure object reference - Files


An unauthorized user can access or manipulate information of other users just by knowing the identifier that differentiates them, since the application does not validate the necessary permissions to access.


Access or manipulate the victims account information by knowing a victims user ID.


Verify that the user who is trying to access the information has the necessary permissions to access.


Unauthorized user from local network.

Expected Remediation Time

⌚ 30 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application verifies user credentials before accessing sensitive information

const accessfile = (req, res) => {
if (isValidUser(req.body.user)) {
const file = req.body.File;
if FilesModel.find({
const isAccessgranted = verifyUserAccess(file,
if isAccessgranted{
//Code that allows access to the user to edit the File only if the user has access

Non compliant code

The application only checks userId before allowing access to sensitive information

const accessFile = (req, res) => {
if (isValidUser(req.body.user)) {
const File = req.body.file;
//Accessing File only with the id number
if filesModel.find({
//Code that allows access to the user to access the File