Trust Boundary Violation
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-501: Trust Boundary Violation |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being stored directly in session attributes without validation or sanitization. This allows untrusted data to be saved in the session, making it possible for attackers to manipulate session state.
Impact#
If exploited, attackers could inject malicious data into the user session, potentially leading to privilege escalation, unauthorized actions, or bypassing security checks. This compromises the trust boundary between user input and secure session data, putting sensitive operations and user accounts at risk.