| ▲ | lucasRW 4 days ago | |
"really all you need is basic admin knowledge of Entra ID" > Yes, because any "basic user of Entra ID with basic knowledge of it" has found undocumented types of tokens, and stringed them with another Graph API vulnerability, to impersonate users... Basic Entra ID users don't even know what an Entra ID token is exactly. | ||
| ▲ | Freak_NL 4 days ago | parent [-] | |
Having knowledge of the exploit itself does not seem to factor in to determining the complexity of the exploit. Rather, it appears to document the complexity of executing it against any given target, given that the exploit is known to the attacker (and someone else has done the hard work of finding it). See the 'A successful attack depends on conditions beyond the attacker's control.' part in the documentation of 'high'. In this exploit, there are hardly any conditions beyond the attacker's control which must be satisfied. | ||