Missing Function Level Access Control

critical Nessus Plugin ID 121039

Synopsis

The web application fails to restrict access to potentially privileged functionality.

Description

The remote web application fails to apply function level access control. This allows an low privileged, or unprivileged user to access restricted functionality in the application.

Solution

Authorization must be checked for all privileged functions in the application.

Plugin Details

Severity: Critical

ID: 121039

File Name: missing_func_level_access_ctrl.nbin

Version: 1.60

Type: remote

Family: CGI abuses

Published: 1/9/2019

Updated: 9/3/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Authorization bypass score

CVSS v2

Risk Factor: High

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests, Settings/ParanoidReport