/horizontal-privilege-escalation

A threat actor may perform unauthorized functions belonging to another user with a similar privileges level

GNU Affero General Public License v3.0AGPL-3.0

A threat actor may perform unauthorized functions belonging to another user with a similar privileges level.

Example #1

  1. Threat actor alters a value that indicates users' group
  2. Target authorizes adversary to perform functions as if they were part of that group

Names

  • Horizontal access control attack

Impact

Vary

Risk

  • Read & modify data
  • Execute commands

Redemption

  • Validate access control
  • Least privileges

ID

cb8496ab-c8f4-4fda-99a3-37e0b8bc2d55

References