Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The model does not restrict which attributes can be updated via mass assignment. Without ‘attr_accessible’ or strong parameters, attackers can set any model attribute by submitting extra parameters in requests.
Impact#
An attacker could manipulate sensitive fields (like admin status or password) that should not be user-editable, potentially leading to privilege escalation, unauthorized data changes, or full application compromise.