Insecure Direct Object References in ECOA BAS Controller: Remote Authorization Bypass and Privileged Functionality Execution

Insecure Direct Object References in ECOA BAS Controller: Remote Authorization Bypass and Privileged Functionality Execution

CVE-2021-41298 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.

Learn more about our User Device Pen Test.