Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Setting the $guarded property to an empty array in a Laravel model disables all mass assignment protection, allowing any attribute to be set via user input. This overrides Laravel’s default safeguards against unintended data modification.
Impact#
An attacker could exploit this to modify sensitive or restricted fields in your database by sending unexpected parameters, potentially leading to privilege escalation, data corruption, or unauthorized changes to user or application data.