Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code allows user input (params) to be assigned directly to model attributes without proper protection, or uses :without_protection => true, which bypasses attribute whitelisting. This means users can set sensitive or restricted fields they shouldn’t have access to.
Impact#
An attacker could manipulate form inputs to modify protected fields (like admin roles, account status, or other sensitive data), potentially leading to privilege escalation, unauthorized data changes, or compromising application integrity.