SYM_RB_0014 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code allows user input (params) to be assigned directly to model attributes without proper protection, or uses :without_protection => true, which bypasses attribute whitelisting. This means users can set sensitive or restricted fields they shouldn't have access to.
Impact
An attacker could manipulate form inputs to modify protected fields (like admin roles, account status, or other sensitive data), potentially leading to privilege escalation, unauthorized data changes, or compromising application integrity.