Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The session variable key is being set using untrusted user input, allowing attackers to control which session variables are modified or created. This breaks the expectation that only the application sets session data.
Impact#
An attacker could overwrite or inject arbitrary session values, potentially gaining unauthorized access, escalating privileges, or tampering with user data. This can lead to broken access control, account takeover, or other serious security breaches.