SYM_RB_0015 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of Rendered UI Layers or Frames
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1021: Improper Restriction of Rendered UI Layers or Frames |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using dynamic ':action' routes in Ruby on Rails can allow users to trigger arbitrary controller actions by crafting specific URLs. This weakens route restrictions and can expose unintended functionality.
Impact
If exploited, an attacker could access and execute any public controller action, potentially exposing sensitive data or enabling unauthorized operations. This increases the risk of information leakage, privilege escalation, or unintended application behavior.