Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Unsafe use of Reflection - Vulnerability Database

Unsafe use of Reflection

Description

This web application is using Object Reflection in an insecure way. Object Reflection is a programming technique used to inspect and change the behavior of a program at runtime. Object Reflection allows instantiation of new objects, methods, and get/set operations on class variables dynamically at run time without having prior knowledge of its implementation.

It was determined that an attacker can control the class name to be instantiated via externally-controlled user input.

Remediation

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

References

Unsafe use of Reflection
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Related Vulnerabilities

JSP authentication bypass High
Common tags: Abuse Of Functionality Authentication Bypass
WordPress plugin Custom Contact Forms critical vulnerability High
Common tags: Abuse Of Functionality Authentication Bypass
URL rewrite vulnerability Medium
Common tags: Abuse Of Functionality Authentication Bypass
DotNetNuke multiple vulnerabilities High
Common tags: Abuse Of Functionality Authentication Bypass
WordPress Plugin Easy WP SMTP Security Bypass (1.4.2) High
Common tags: Authentication Bypass

Severity

High

Classification

CWE-470
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Tags

Abuse Of Functionality
Authentication Bypass