Authentication mechanism absence or evasion - Security Image
Description
It is possible to eliminate the use of the image and security phrase at user login.
Impact
Remove image and security phrase which can facilitate other types of attacks.
Recommendation
Make sure that only one number of an existing image can be sent so that the image and passphrase function is not eliminated.
Threat
User authenticated from the Internet.
Expected Remediation Time
⌚ 240 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
- Score:
- Base: 4.3
- Temporal: 4.3
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit madurity: X
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
- Score:
- CVSS-BT: 5.3
- Severity:
- CVSS-BT: Medium
Requirements
- 227.Display access notification
- 228.Authenticate using standard protocols
- 229.Request access credentials
- 231.Implement a biometric verification component
- 235.Define credential interface
- 264.Request authentication
- 323.Exclude unverifiable files
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.