SYM_RB_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The model does not restrict which attributes can be updated via mass assignment. Without 'attr_accessible' or strong parameters, attackers can set any model attribute by submitting extra parameters in requests.
Impact
An attacker could manipulate sensitive fields (like admin status or password) that should not be user-editable, potentially leading to privilege escalation, unauthorized data changes, or full application compromise.