SYM_RB_0065 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Allowing mass assignment of sensitive attributes like 'admin' or 'account_id' using permit can let users modify critical fields they shouldn't have access to. This exposes your application to unauthorized privilege changes or account takeovers.
Impact
If exploited, attackers could escalate their privileges, gain admin access, or manipulate account ownership by changing protected attributes. This can lead to data breaches, unauthorized actions, and a loss of control over user accounts and permissions.