SYM_JSTS_0062 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input is being used directly as an object property name with bracket notation (e.g., obj[userInput]), which can let attackers access or modify unexpected properties, including those on the object's prototype. Always use fixed property names or validate user input before using it as a property key.
Impact
If exploited, an attacker could overwrite or read sensitive object properties, potentially leading to unauthorized access, data leakage, privilege escalation, or application crashes. This can undermine application security and expose critical data or functionality.