External Control of Assumed-Immutable Web Parameter

CVE-2021-27770

Medium

6.8/10

Summary

The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take place.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-472 - External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

References

Advisory Timeline

Published May 12, 2022

External Control of Assumed-Immutable Web Parameter

CVE-2021-27770

Summary

CWE-472 - External Control of Assumed-Immutable Web Parameter

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS