Detections
Analytics
Object-Relational Mapping (ORM) Leak
high Web App Scanning Plugin ID 115010
Language:
Synopsis
Object-Relational Mapping (ORM) LeakDescription
An Object-Relational Mapping (ORM) Leak vulnerability occurs when an application does not properly control how user-provided data is passed to the ORM. An attacker can exploit this by manipulating input parameters to query fields that are not intended to be exposed. This can lead to the disclosure of sensitive information from the database, such as user credentials, personal information, or other confidential data. In some cases, it could also allow an attacker to perform unauthorized data modification operations.Solution
Ensure that user-controllable input is never directly used to construct ORM queries. Implement a strict whitelist of allowed fields and operators for filtering and searching. Validate and sanitize all input to prevent malicious query modifications.See Also
Plugin Details
Severity: High
ID: 115010
Type: remote
Family: Injection
Published: 10/21/2025
Updated: 10/24/2025
Scan Template: api, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.2
CVSS v2
Risk Factor: High
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 8.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS Score Source: Tenable
CVSS v4
Risk Factor: High
Base Score: 7.2
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Reference Information
CWE: 20
OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3
WASC: Improper Input Handling
CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-5.1.3
PCI-DSS: 3.2-6.5