SYM_RB_0074 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using :except with skip_before_filter, skip_before_action, or skip_filter in Rails controllers can unintentionally disable important security checks for most actions, increasing the risk of access control mistakes. It's safer to explicitly specify which actions should skip filters using :only.
Impact
If exploited, attackers may gain unauthorized access to sensitive controller actions that should be protected, leading to data leaks, privilege escalation, or unauthorized operations. This can compromise user data and application integrity.