bugcrowd · TimmyBugcrowd · Apr 20, 2025 · May 4, 2025 · May 4, 2025 · May 4, 2025
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -240,6 +240,10 @@
       "id": "broken_access_control",
       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+        },
         {
           "id": "privilege_escalation",
           "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
@@ -921,6 +925,10 @@
     {
       "id": "sensitive_data_exposure",
       "children": [
+        {
+          "id": "graphql_introspection_enabled",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+        },
         {
           "id": "disclosure_of_known_public_information",
           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"

diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
@@ -774,6 +774,12 @@
         "CWE-934"
       ],
       "children": [
+        {
+          "id": "graphql_introspection_enabled",
+          "cwe": [
+            "CWE-200"
+          ]
+        },
         {
           "id": "disclosure_of_known_public_information",
           "cwe": [

diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
@@ -358,6 +358,13 @@
     {
       "id": "broken_access_control",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.",
+          "references": [
+            "https://portswigger.net/web-security/access-control"
+          ]
+        },
         {
           "id": "exposed_sensitive_android_intent",
           "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the <receiver> element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n",
@@ -1233,10 +1240,14 @@
         "https://www.cvedetails.com/vulnerability-list/opginf-1/gain-information.html"
       ],
       "children": [
+        {
+          "id": "graphql_introspection_enabled",
+          "remediation_advice": "Disable GraphQL introspection in production environments to prevent attackers from enumerating the API schema."
+        }, 
         {
           "id": "disclosure_of_known_public_information",
           "remediation_advice": "As a best practice, avoid disclosing known public information unnecessarily."
-        },
+        },       
         {
           "id": "disclosure_of_secrets",
           "remediation_advice": "1. Do not store secrets in source code that is publicly accessible such as in a public GitHub repository.\n2. Critically sensitive data should not be transmitted in cleartext. Make sure to only use `HTTPS` whenever transmitting passwords and private API keys.\n3. Set appropriate headers to prevent caching of sensitive data when served to end-user."

diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
@@ -378,6 +378,19 @@
       "name": "Broken Access Control (BAC)",
       "type": "category",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "name": "Bypass of Password Confirmation",
+          "type": "subcategory",
+          "children": [
+            {
+              "id": "change_password",
+              "name": "Change Password",
+              "type": "variant",
+              "priority": 4
+            }
+          ]
+        },
         {
           "id": "exposed_sensitive_android_intent",
           "name": "Exposed Sensitive Android Intent",
@@ -1836,6 +1849,12 @@
       "name": "Sensitive Data Exposure",
       "type": "category",
       "children": [
+        {
+          "id": "graphql_introspection_enabled",
+          "name": "GraphQL Introspection Enabled",
+          "type": "subcategory",
+          "priority": 5
+        },
         {
           "id": "disclosure_of_known_public_information",
           "name": "Disclosure of Known Public Information",