Skip to main content

Insufficient data authenticity validation - Front bypass

Description

The credentials policy present in the system warns that these cannot be consecutive and/or repeated numbers, however this validation is only done in the front end of the application, so it is possible to modify the password from the same request and assign a key that goes against the policies.

Impact

Bypass security policies assigned for user keys.

Recommendation

The key creation policy must be validated on both the front and back ends of the application.

Threat

Attacker without credentials from the Internet.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Requirements