Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code assigns all fields from user input directly to a model using constructs like ‘**request.data’, which can unintentionally update sensitive or restricted fields. This allows attackers to modify fields that should not be user-editable by sending extra data in their requests.
Impact#
If exploited, an attacker could change critical fields such as user roles, permissions, or account status, potentially leading to privilege escalation, data corruption, or unauthorized access. This can compromise application integrity and expose sensitive data or functionalities.