SYM_JSTS_0088 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
URL Redirection to Untrusted Site ('Open Redirect')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Object.assign() to merge user-controlled data into objects can let attackers overwrite sensitive fields or introduce unexpected data, especially if the input comes directly from sources like JSON.parse(). This can expose or modify data in ways you did not intend.
Impact
If exploited, an attacker could manipulate object properties such as user roles, permissions, or internal flags, leading to unauthorized access, privilege escalation, or data leakage. This can break access controls and compromise sensitive information across your application.