Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Mass assignment protection is disabled for the model, allowing users to set any model attributes—including sensitive ones—via input parameters. This makes it easy for attackers to modify fields that should be restricted.
Impact#
If exploited, an attacker could update protected fields such as user roles, permissions, or other critical data by submitting crafted parameters. This could lead to unauthorized access, privilege escalation, or data tampering within your application.