Description

This web application is configured with a Page section that has the property enableEventValidation set to false. When configured this way, it will disable ASP.NET's validation of control events and permit an attacker to submit unexpected values.

Remediation

It's recommended to globally set the Pages property enableEventValidation to true and remove individual page directives. 

<pages enableEventValidation="true" />

References

EnableEventValidation

Related Vulnerabilities

Apache stronghold-info enabled

HTTP verb tampering via POST

Laravel Terminal open

Web Cache Poisoning via Fat GET Request

Pentaho API Auth bypass (CVE-2021-31602)

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration