Security Bypass

2023-11-1509:57:15

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

microsoft.aspnetcore.components

vulnerability

unauthenticated user

server validation

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

7.2 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.8%

JSON

Microsoft.AspNetCore.Components is vulnerable to Security Bypass. The vulnerability arises due to a lack of validation on blazer server. An unauthenticated user is able to bypass validation on blazer server forms.

CPENameOperatorVersion
microsoft.aspnetcore.componentsle7.0.13
microsoft.aspnetcore.componentsle8.0.0-rc.2.23480.2
microsoft.aspnetcore.componentsle6.0.24
dotnet6-runtime:edgeeq6.0.18-r0
dotnet6-runtime:edgeeq6.0.24-r0
dotnet6-runtime:edgeeq6.0.11-r0
dotnet6-runtime:edgeeq6.0.3-r1
dotnet6-runtime:edgeeq6.0.5-r1
dotnet6-runtime:edgeeq6.0.2-r1
dotnet6-runtime:edgeeq6.0.10-r2

Name	Operator	Version
microsoft.aspnetcore.components	le	7.0.13
microsoft.aspnetcore.components	le	8.0.0-rc.2.23480.2
microsoft.aspnetcore.components	le	6.0.24
dotnet6-runtime:edge	eq	6.0.18-r0
dotnet6-runtime:edge	eq	6.0.24-r0
dotnet6-runtime:edge	eq	6.0.11-r0
dotnet6-runtime:edge	eq	6.0.3-r1
dotnet6-runtime:edge	eq	6.0.5-r1
dotnet6-runtime:edge	eq	6.0.2-r1
dotnet6-runtime:edge	eq	6.0.10-r2