From b7fad0d2789f14782dd04147e920d1c65bce1d1b Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 11:25:55 +0200 Subject: [PATCH 1/2] Revert "Bypass of Password Confirmation on Password Change" This reverts commit 3418212fd5ec34b5d96bb48097113c6329265c6c. From 7bff2e7a5224ff295a3121eae32d3c487c804247 Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 10:49:01 +0200 Subject: [PATCH 2/2] Bypass of Password Confirmation on Password Change MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add: Broken Access Control – Bypass of Password Confirmation – Change Password --- mappings/cvss_v3/cvss_v3.json | 4 ++++ mappings/remediation_advice/remediation_advice.json | 7 +++++++ vulnerability-rating-taxonomy.json | 13 +++++++++++++ 3 files changed, 24 insertions(+) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index 6f00745..75d8265 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -240,6 +240,10 @@ "id": "broken_access_control", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "children": [ + { + "id": "bypass_of_password_confirmation", + "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" + }, { "id": "privilege_escalation", "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 1373d06..8489fb8 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -358,6 +358,13 @@ { "id": "broken_access_control", "children": [ + { + "id": "bypass_of_password_confirmation", + "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.", + "references": [ + "https://portswigger.net/web-security/access-control" + ] + }, { "id": "exposed_sensitive_android_intent", "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n", diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index b89dee9..72397ae 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -378,6 +378,19 @@ "name": "Broken Access Control (BAC)", "type": "category", "children": [ + { + "id": "bypass_of_password_confirmation", + "name": "Bypass of Password Confirmation", + "type": "subcategory", + "children": [ + { + "id": "change_password", + "name": "Change Password", + "type": "variant", + "priority": 4 + } + ] + }, { "id": "exposed_sensitive_android_intent", "name": "Exposed Sensitive Android Intent",