ID CVE-2019-16202
Summary MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
References
Vulnerable Configurations
  • MISP 0.1
    cpe:2.3:a:misp:misp:0.1
  • MISP 0.2
    cpe:2.3:a:misp:misp:0.2
  • MISP 2.1
    cpe:2.3:a:misp:misp:2.1
  • MISP 2.1.18
    cpe:2.3:a:misp:misp:2.1.18
  • MISP 2.2.1
    cpe:2.3:a:misp:misp:2.2.1
  • MISP 2.2.2
    cpe:2.3:a:misp:misp:2.2.2
  • MISP 2.3.0
    cpe:2.3:a:misp:misp:2.3.0
  • MISP 2.3.14
    cpe:2.3:a:misp:misp:2.3.14
  • MISP 2.3.15
    cpe:2.3:a:misp:misp:2.3.15
  • MISP 2.3.16
    cpe:2.3:a:misp:misp:2.3.16
  • MISP 2.3.17
    cpe:2.3:a:misp:misp:2.3.17
  • MISP 2.3.18
    cpe:2.3:a:misp:misp:2.3.18
  • MISP 2.3.19
    cpe:2.3:a:misp:misp:2.3.19
  • MISP 2.3.20
    cpe:2.3:a:misp:misp:2.3.20
  • MISP 2.3.21
    cpe:2.3:a:misp:misp:2.3.21
  • MISP 2.3.22
    cpe:2.3:a:misp:misp:2.3.22
  • MISP 2.3.23
    cpe:2.3:a:misp:misp:2.3.23
  • MISP 2.3.24
    cpe:2.3:a:misp:misp:2.3.24
  • MISP 2.3.25
    cpe:2.3:a:misp:misp:2.3.25
  • MISP 2.3.26
    cpe:2.3:a:misp:misp:2.3.26
  • MISP 2.3.27
    cpe:2.3:a:misp:misp:2.3.27
  • MISP 2.3.28
    cpe:2.3:a:misp:misp:2.3.28
  • MISP 2.3.29
    cpe:2.3:a:misp:misp:2.3.29
  • MISP 2.3.30
    cpe:2.3:a:misp:misp:2.3.30
  • MISP 2.3.31
    cpe:2.3:a:misp:misp:2.3.31
  • MISP 2.3.32
    cpe:2.3:a:misp:misp:2.3.32
  • MISP 2.3.33
    cpe:2.3:a:misp:misp:2.3.33
  • MISP 2.3.34
    cpe:2.3:a:misp:misp:2.3.34
  • MISP 2.3.35
    cpe:2.3:a:misp:misp:2.3.35
  • MISP 2.3.36
    cpe:2.3:a:misp:misp:2.3.36
  • MISP 2.3.37
    cpe:2.3:a:misp:misp:2.3.37
  • MISP 2.3.38
    cpe:2.3:a:misp:misp:2.3.38
  • MISP 2.3.39
    cpe:2.3:a:misp:misp:2.3.39
  • MISP 2.3.40
    cpe:2.3:a:misp:misp:2.3.40
  • MISP 2.3.41
    cpe:2.3:a:misp:misp:2.3.41
  • MISP 2.3.42
    cpe:2.3:a:misp:misp:2.3.42
  • MISP 2.3.43
    cpe:2.3:a:misp:misp:2.3.43
  • MISP 2.3.44
    cpe:2.3:a:misp:misp:2.3.44
  • MISP 2.3.45
    cpe:2.3:a:misp:misp:2.3.45
  • MISP 2.3.46
    cpe:2.3:a:misp:misp:2.3.46
  • MISP 2.3.47
    cpe:2.3:a:misp:misp:2.3.47
  • MISP 2.3.48
    cpe:2.3:a:misp:misp:2.3.48
  • MISP 2.3.49
    cpe:2.3:a:misp:misp:2.3.49
  • MISP 2.3.50
    cpe:2.3:a:misp:misp:2.3.50
  • MISP 2.3.51
    cpe:2.3:a:misp:misp:2.3.51
  • MISP 2.3.52
    cpe:2.3:a:misp:misp:2.3.52
  • MISP 2.3.53
    cpe:2.3:a:misp:misp:2.3.53
  • MISP 2.3.54
    cpe:2.3:a:misp:misp:2.3.54
  • MISP 2.3.55
    cpe:2.3:a:misp:misp:2.3.55
  • MISP 2.3.56
    cpe:2.3:a:misp:misp:2.3.56
  • MISP 2.3.57
    cpe:2.3:a:misp:misp:2.3.57
  • MISP 2.3.58
    cpe:2.3:a:misp:misp:2.3.58
  • MISP 2.3.59
    cpe:2.3:a:misp:misp:2.3.59
  • MISP 2.3.60
    cpe:2.3:a:misp:misp:2.3.60
  • MISP 2.3.61
    cpe:2.3:a:misp:misp:2.3.61
  • MISP 2.3.62
    cpe:2.3:a:misp:misp:2.3.62
  • MISP 2.3.63
    cpe:2.3:a:misp:misp:2.3.63
  • MISP 2.3.64
    cpe:2.3:a:misp:misp:2.3.64
  • MISP 2.3.65
    cpe:2.3:a:misp:misp:2.3.65
  • MISP 2.3.66
    cpe:2.3:a:misp:misp:2.3.66
  • MISP 2.3.67
    cpe:2.3:a:misp:misp:2.3.67
  • MISP 2.3.68
    cpe:2.3:a:misp:misp:2.3.68
  • MISP 2.3.69
    cpe:2.3:a:misp:misp:2.3.69
  • MISP 2.3.70
    cpe:2.3:a:misp:misp:2.3.70
  • MISP 2.3.71
    cpe:2.3:a:misp:misp:2.3.71
  • MISP 2.3.72
    cpe:2.3:a:misp:misp:2.3.72
  • MISP 2.3.73
    cpe:2.3:a:misp:misp:2.3.73
  • MISP 2.3.74
    cpe:2.3:a:misp:misp:2.3.74
  • MISP 2.3.75
    cpe:2.3:a:misp:misp:2.3.75
  • MISP 2.3.76
    cpe:2.3:a:misp:misp:2.3.76
  • MISP 2.3.77
    cpe:2.3:a:misp:misp:2.3.77
  • MISP 2.3.78
    cpe:2.3:a:misp:misp:2.3.78
  • MISP 2.3.79
    cpe:2.3:a:misp:misp:2.3.79
  • MISP 2.3.80
    cpe:2.3:a:misp:misp:2.3.80
  • MISP 2.3.81
    cpe:2.3:a:misp:misp:2.3.81
  • MISP 2.3.82
    cpe:2.3:a:misp:misp:2.3.82
  • MISP 2.3.83
    cpe:2.3:a:misp:misp:2.3.83
  • MISP 2.3.84
    cpe:2.3:a:misp:misp:2.3.84
  • MISP 2.3.85
    cpe:2.3:a:misp:misp:2.3.85
  • MISP 2.3.87
    cpe:2.3:a:misp:misp:2.3.87
  • MISP 2.3.88
    cpe:2.3:a:misp:misp:2.3.88
  • MISP 2.3.89
    cpe:2.3:a:misp:misp:2.3.89
  • MISP 2.3.90
    cpe:2.3:a:misp:misp:2.3.90
  • MISP 2.3.91
    cpe:2.3:a:misp:misp:2.3.91
  • MISP 2.3.92
    cpe:2.3:a:misp:misp:2.3.92
  • MISP 2.3.93
    cpe:2.3:a:misp:misp:2.3.93
  • MISP 2.3.94
    cpe:2.3:a:misp:misp:2.3.94
  • MISP 2.3.95
    cpe:2.3:a:misp:misp:2.3.95
  • MISP 2.3.96
    cpe:2.3:a:misp:misp:2.3.96
  • MISP 2.3.97
    cpe:2.3:a:misp:misp:2.3.97
  • MISP 2.3.98
    cpe:2.3:a:misp:misp:2.3.98
  • MISP 2.3.99
    cpe:2.3:a:misp:misp:2.3.99
  • MISP 2.3.100
    cpe:2.3:a:misp:misp:2.3.100
  • MISP 2.3.101
    cpe:2.3:a:misp:misp:2.3.101
  • MISP 2.3.102
    cpe:2.3:a:misp:misp:2.3.102
  • MISP 2.3.103
    cpe:2.3:a:misp:misp:2.3.103
  • MISP 2.3.104
    cpe:2.3:a:misp:misp:2.3.104
  • MISP 2.3.105
    cpe:2.3:a:misp:misp:2.3.105
  • MISP 2.3.106
    cpe:2.3:a:misp:misp:2.3.106
  • MISP 2.3.107
    cpe:2.3:a:misp:misp:2.3.107
  • MISP 2.3.108
    cpe:2.3:a:misp:misp:2.3.108
  • MISP 2.3.109
    cpe:2.3:a:misp:misp:2.3.109
  • MISP 2.3.110
    cpe:2.3:a:misp:misp:2.3.110
  • MISP 2.3.111
    cpe:2.3:a:misp:misp:2.3.111
  • MISP 2.3.112
    cpe:2.3:a:misp:misp:2.3.112
  • MISP 2.3.113
    cpe:2.3:a:misp:misp:2.3.113
  • MISP 2.3.114
    cpe:2.3:a:misp:misp:2.3.114
  • MISP 2.3.115
    cpe:2.3:a:misp:misp:2.3.115
  • MISP 2.3.116
    cpe:2.3:a:misp:misp:2.3.116
  • MISP 2.3.117
    cpe:2.3:a:misp:misp:2.3.117
  • MISP 2.3.118
    cpe:2.3:a:misp:misp:2.3.118
  • MISP 2.3.120
    cpe:2.3:a:misp:misp:2.3.120
  • MISP 2.3.121
    cpe:2.3:a:misp:misp:2.3.121
  • MISP 2.3.122
    cpe:2.3:a:misp:misp:2.3.122
  • MISP 2.3.123
    cpe:2.3:a:misp:misp:2.3.123
  • MISP 2.3.124
    cpe:2.3:a:misp:misp:2.3.124
  • MISP 2.3.125
    cpe:2.3:a:misp:misp:2.3.125
  • MISP 2.3.126
    cpe:2.3:a:misp:misp:2.3.126
  • MISP 2.3.127
    cpe:2.3:a:misp:misp:2.3.127
  • MISP 2.3.128
    cpe:2.3:a:misp:misp:2.3.128
  • MISP 2.3.129
    cpe:2.3:a:misp:misp:2.3.129
  • MISP 2.3.130
    cpe:2.3:a:misp:misp:2.3.130
  • MISP 2.3.131
    cpe:2.3:a:misp:misp:2.3.131
  • MISP 2.3.132
    cpe:2.3:a:misp:misp:2.3.132
  • MISP 2.3.133
    cpe:2.3:a:misp:misp:2.3.133
  • MISP 2.3.134
    cpe:2.3:a:misp:misp:2.3.134
  • MISP 2.3.135
    cpe:2.3:a:misp:misp:2.3.135
  • MISP 2.3.136
    cpe:2.3:a:misp:misp:2.3.136
  • MISP 2.3.137
    cpe:2.3:a:misp:misp:2.3.137
  • MISP 2.3.138
    cpe:2.3:a:misp:misp:2.3.138
  • MISP 2.3.139
    cpe:2.3:a:misp:misp:2.3.139
  • MISP 2.3.140
    cpe:2.3:a:misp:misp:2.3.140
  • MISP 2.3.141
    cpe:2.3:a:misp:misp:2.3.141
  • MISP 2.3.142
    cpe:2.3:a:misp:misp:2.3.142
  • MISP 2.3.143
    cpe:2.3:a:misp:misp:2.3.143
  • MISP 2.3.144
    cpe:2.3:a:misp:misp:2.3.144
  • MISP 2.3.145
    cpe:2.3:a:misp:misp:2.3.145
  • MISP 2.3.146
    cpe:2.3:a:misp:misp:2.3.146
  • MISP 2.3.147
    cpe:2.3:a:misp:misp:2.3.147
  • MISP 2.3.148
    cpe:2.3:a:misp:misp:2.3.148
  • MISP 2.3.149
    cpe:2.3:a:misp:misp:2.3.149
  • MISP 2.3.150
    cpe:2.3:a:misp:misp:2.3.150
  • MISP 2.3.151
    cpe:2.3:a:misp:misp:2.3.151
  • MISP 2.3.152
    cpe:2.3:a:misp:misp:2.3.152
  • MISP 2.3.153
    cpe:2.3:a:misp:misp:2.3.153
  • MISP 2.3.154
    cpe:2.3:a:misp:misp:2.3.154
  • MISP 2.3.155
    cpe:2.3:a:misp:misp:2.3.155
  • MISP 2.3.156
    cpe:2.3:a:misp:misp:2.3.156
  • MISP 2.3.157
    cpe:2.3:a:misp:misp:2.3.157
  • MISP 2.3.158
    cpe:2.3:a:misp:misp:2.3.158
  • MISP 2.3.159
    cpe:2.3:a:misp:misp:2.3.159
  • MISP 2.3.160
    cpe:2.3:a:misp:misp:2.3.160
  • MISP 2.3.161
    cpe:2.3:a:misp:misp:2.3.161
  • MISP 2.3.162
    cpe:2.3:a:misp:misp:2.3.162
  • MISP 2.3.163
    cpe:2.3:a:misp:misp:2.3.163
  • MISP 2.3.164
    cpe:2.3:a:misp:misp:2.3.164
  • MISP 2.3.165
    cpe:2.3:a:misp:misp:2.3.165
  • MISP 2.3.166
    cpe:2.3:a:misp:misp:2.3.166
  • MISP 2.3.167
    cpe:2.3:a:misp:misp:2.3.167
  • MISP 2.3.168
    cpe:2.3:a:misp:misp:2.3.168
  • MISP 2.3.169
    cpe:2.3:a:misp:misp:2.3.169
  • MISP 2.3.170
    cpe:2.3:a:misp:misp:2.3.170
  • MISP 2.3.171
    cpe:2.3:a:misp:misp:2.3.171
  • MISP 2.3.172
    cpe:2.3:a:misp:misp:2.3.172
  • MISP 2.3.173
    cpe:2.3:a:misp:misp:2.3.173
  • MISP 2.3.174
    cpe:2.3:a:misp:misp:2.3.174
  • MISP 2.3.175
    cpe:2.3:a:misp:misp:2.3.175
  • MISP 2.3.176
    cpe:2.3:a:misp:misp:2.3.176
  • MISP 2.3.177
    cpe:2.3:a:misp:misp:2.3.177
  • MISP 2.3.178
    cpe:2.3:a:misp:misp:2.3.178
  • MISP 2.4.0
    cpe:2.3:a:misp:misp:2.4.0
  • MISP 2.4.1
    cpe:2.3:a:misp:misp:2.4.1
  • MISP 2.4.2
    cpe:2.3:a:misp:misp:2.4.2
  • MISP 2.4.3
    cpe:2.3:a:misp:misp:2.4.3
  • MISP 2.4.4
    cpe:2.3:a:misp:misp:2.4.4
  • MISP 2.4.5
    cpe:2.3:a:misp:misp:2.4.5
  • MISP 2.4.6
    cpe:2.3:a:misp:misp:2.4.6
  • MISP 2.4.7
    cpe:2.3:a:misp:misp:2.4.7
  • MISP 2.4.9
    cpe:2.3:a:misp:misp:2.4.9
  • MISP 2.4.10
    cpe:2.3:a:misp:misp:2.4.10
  • MISP 2.4.11
    cpe:2.3:a:misp:misp:2.4.11
  • MISP 2.4.12
    cpe:2.3:a:misp:misp:2.4.12
  • MISP 2.4.13
    cpe:2.3:a:misp:misp:2.4.13
  • MISP 2.4.14
    cpe:2.3:a:misp:misp:2.4.14
  • MISP 2.4.15
    cpe:2.3:a:misp:misp:2.4.15
  • MISP 2.4.16
    cpe:2.3:a:misp:misp:2.4.16
  • MISP 2.4.17
    cpe:2.3:a:misp:misp:2.4.17
  • MISP 2.4.18
    cpe:2.3:a:misp:misp:2.4.18
  • MISP 2.4.20
    cpe:2.3:a:misp:misp:2.4.20
  • MISP 2.4.21
    cpe:2.3:a:misp:misp:2.4.21
  • MISP 2.4.22
    cpe:2.3:a:misp:misp:2.4.22
  • MISP 2.4.23
    cpe:2.3:a:misp:misp:2.4.23
  • MISP 2.4.24
    cpe:2.3:a:misp:misp:2.4.24
  • MISP 2.4.25
    cpe:2.3:a:misp:misp:2.4.25
  • MISP 2.4.26
    cpe:2.3:a:misp:misp:2.4.26
  • MISP 2.4.27
    cpe:2.3:a:misp:misp:2.4.27
  • MISP 2.4.28
    cpe:2.3:a:misp:misp:2.4.28
  • MISP 2.4.29
    cpe:2.3:a:misp:misp:2.4.29
  • MISP 2.4.30
    cpe:2.3:a:misp:misp:2.4.30
  • MISP 2.4.31
    cpe:2.3:a:misp:misp:2.4.31
  • MISP 2.4.32
    cpe:2.3:a:misp:misp:2.4.32
  • MISP 2.4.33
    cpe:2.3:a:misp:misp:2.4.33
  • MISP 2.4.34
    cpe:2.3:a:misp:misp:2.4.34
  • MISP 2.4.35
    cpe:2.3:a:misp:misp:2.4.35
  • MISP 2.4.36
    cpe:2.3:a:misp:misp:2.4.36
  • MISP 2.4.37
    cpe:2.3:a:misp:misp:2.4.37
  • MISP 2.4.38
    cpe:2.3:a:misp:misp:2.4.38
  • MISP 2.4.39
    cpe:2.3:a:misp:misp:2.4.39
  • MISP 2.4.40
    cpe:2.3:a:misp:misp:2.4.40
  • MISP 2.4.41
    cpe:2.3:a:misp:misp:2.4.41
  • MISP 2.4.42
    cpe:2.3:a:misp:misp:2.4.42
  • MISP 2.4.43
    cpe:2.3:a:misp:misp:2.4.43
  • MISP 2.4.44
    cpe:2.3:a:misp:misp:2.4.44
  • MISP 2.4.45
    cpe:2.3:a:misp:misp:2.4.45
  • MISP 2.4.46
    cpe:2.3:a:misp:misp:2.4.46
  • MISP 2.4.47
    cpe:2.3:a:misp:misp:2.4.47
  • MISP 2.4.48
    cpe:2.3:a:misp:misp:2.4.48
  • MISP 2.4.49
    cpe:2.3:a:misp:misp:2.4.49
  • MISP 2.4.50
    cpe:2.3:a:misp:misp:2.4.50
  • MISP 2.4.51
    cpe:2.3:a:misp:misp:2.4.51
  • MISP 2.4.52
    cpe:2.3:a:misp:misp:2.4.52
  • MISP 2.4.53
    cpe:2.3:a:misp:misp:2.4.53
  • MISP 2.4.54
    cpe:2.3:a:misp:misp:2.4.54
  • MISP 2.4.55
    cpe:2.3:a:misp:misp:2.4.55
  • MISP 2.4.56
    cpe:2.3:a:misp:misp:2.4.56
  • MISP 2.4.57
    cpe:2.3:a:misp:misp:2.4.57
  • MISP 2.4.58
    cpe:2.3:a:misp:misp:2.4.58
  • MISP 2.4.59
    cpe:2.3:a:misp:misp:2.4.59
  • MISP 2.4.60
    cpe:2.3:a:misp:misp:2.4.60
  • MISP 2.4.61
    cpe:2.3:a:misp:misp:2.4.61
  • MISP 2.4.62
    cpe:2.3:a:misp:misp:2.4.62
  • MISP 2.4.63
    cpe:2.3:a:misp:misp:2.4.63
  • MISP 2.4.64
    cpe:2.3:a:misp:misp:2.4.64
  • MISP 2.4.65
    cpe:2.3:a:misp:misp:2.4.65
  • MISP 2.4.66
    cpe:2.3:a:misp:misp:2.4.66
  • MISP 2.4.67
    cpe:2.3:a:misp:misp:2.4.67
  • MISP 2.4.68
    cpe:2.3:a:misp:misp:2.4.68
  • MISP 2.4.69
    cpe:2.3:a:misp:misp:2.4.69
  • MISP 2.4.70
    cpe:2.3:a:misp:misp:2.4.70
  • MISP 2.4.71
    cpe:2.3:a:misp:misp:2.4.71
  • MISP 2.4.72
    cpe:2.3:a:misp:misp:2.4.72
  • MISP 2.4.73
    cpe:2.3:a:misp:misp:2.4.73
  • MISP 2.4.74
    cpe:2.3:a:misp:misp:2.4.74
  • MISP 2.4.75
    cpe:2.3:a:misp:misp:2.4.75
  • MISP 2.4.76
    cpe:2.3:a:misp:misp:2.4.76
  • MISP 2.4.77
    cpe:2.3:a:misp:misp:2.4.77
  • MISP 2.4.78
    cpe:2.3:a:misp:misp:2.4.78
  • MISP 2.4.79
    cpe:2.3:a:misp:misp:2.4.79
  • MISP 2.4.80
    cpe:2.3:a:misp:misp:2.4.80
  • MISP 2.4.81
    cpe:2.3:a:misp:misp:2.4.81
  • MISP 2.4.82
    cpe:2.3:a:misp:misp:2.4.82
  • MISP 2.4.83
    cpe:2.3:a:misp:misp:2.4.83
  • MISP 2.4.84
    cpe:2.3:a:misp:misp:2.4.84
  • MISP 2.4.85
    cpe:2.3:a:misp:misp:2.4.85
  • MISP 2.4.86
    cpe:2.3:a:misp:misp:2.4.86
  • MISP 2.4.87
    cpe:2.3:a:misp:misp:2.4.87
  • MISP 2.4.88
    cpe:2.3:a:misp:misp:2.4.88
  • MISP 2.4.89
    cpe:2.3:a:misp:misp:2.4.89
  • MISP 2.4.90
    cpe:2.3:a:misp:misp:2.4.90
  • MISP 2.4.91
    cpe:2.3:a:misp:misp:2.4.91
  • MISP 2.4.92
    cpe:2.3:a:misp:misp:2.4.92
  • MISP 2.4.93
    cpe:2.3:a:misp:misp:2.4.93
  • MISP 2.4.94
    cpe:2.3:a:misp:misp:2.4.94
  • MISP 2.4.95
    cpe:2.3:a:misp:misp:2.4.95
  • MISP 2.4.96
    cpe:2.3:a:misp:misp:2.4.96
  • MISP 2.4.97
    cpe:2.3:a:misp:misp:2.4.97
  • MISP 2.4.98
    cpe:2.3:a:misp:misp:2.4.98
  • MISP 2.4.99
    cpe:2.3:a:misp:misp:2.4.99
  • MISP 2.4.100
    cpe:2.3:a:misp:misp:2.4.100
  • MISP 2.4.101
    cpe:2.3:a:misp:misp:2.4.101
  • MISP 2.4.102
    cpe:2.3:a:misp:misp:2.4.102
  • MISP 2.4.103
    cpe:2.3:a:misp:misp:2.4.103
  • MISP 2.4.104
    cpe:2.3:a:misp:misp:2.4.104
  • MISP 2.4.105
    cpe:2.3:a:misp:misp:2.4.105
  • MISP 2.4.106
    cpe:2.3:a:misp:misp:2.4.106
  • MISP 2.4.107
    cpe:2.3:a:misp:misp:2.4.107
  • MISP 2.4.108
    cpe:2.3:a:misp:misp:2.4.108
  • MISP 2.4.109
    cpe:2.3:a:misp:misp:2.4.109
  • MISP 2.4.110
    cpe:2.3:a:misp:misp:2.4.110
  • MISP 2.4.111
    cpe:2.3:a:misp:misp:2.4.111
  • MISP 2.4.112
    cpe:2.3:a:misp:misp:2.4.112
  • MISP 2.4.113
    cpe:2.3:a:misp:misp:2.4.113
  • MISP 2.4.114
    cpe:2.3:a:misp:misp:2.4.114
CVSS
Base: 4.0
Impact:
Exploitability:
CWE CWE-269
CAPEC
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Last major update 10-09-2019 - 11:07
Published 10-09-2019 - 10:15
Last modified 11-09-2019 - 14:34
Back to Top