Vulmon Recent Vulnerabilities Trends Blog About Contact

mass assignment vulnerabilities and exploits

(subscribe to this query)

4.3
CVSSv2
CVE-2020-24940
An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment....
Laravel Laravel
5
CVSSv2
CVE-2008-7309
Insoshi before 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the ForumPost user_id value via a modified URL, related to a "mass assignment" vulnerability....
Insoshi Insoshi
4
CVSSv2
CVE-2013-2506
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves....
Spreecommerce Spree 1.1.0Spreecommerce Spree 1.1.1Spreecommerce Spree 1.1.2Spreecommerce Spree 1.1.3Spreecommerce Spree 1.1.4Spreecommerce Spree 1.1.5Spreecommerce Spree 1.1.6Spreecommerce Spree 1.2.0Spreecommerce Spree 1.2.1Spreecommerce Spree 1.2.2Spreecommerce Spree 1.2.3Spreecommerce Spree 1.2.4Spreecommerce Spree 1.3.0Spreecommerce Spree 1.3.1Spreecommerce Spree 1.3.2
5.8
CVSSv2
CVE-2013-7080
The creating record functionality in Extension table administration library (feuser_adminLib.inc) in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, and 6.0.0 through 6.0.11 allows remote attackers to write to arbitrary fields in the configuration database table via crafted...
Typo3 Typo3 6.0Typo3 Typo3 6.0.1Typo3 Typo3 6.0.2Typo3 Typo3 6.0.3Typo3 Typo3 6.0.4Typo3 Typo3 6.0.5Typo3 Typo3 6.0.6Typo3 Typo3 6.0.7Typo3 Typo3 6.0.8Typo3 Typo3 6.0.9Typo3 Typo3 6.0.10Typo3 Typo3 6.0.11Typo3 Typo3 4.5.0Typo3 Typo3 4.5.1Typo3 Typo3 4.5.2Typo3 Typo3 4.5.3Typo3 Typo3 4.5.4Typo3 Typo3 4.5.5Typo3 Typo3 4.5.6Typo3 Typo3 4.5.7Typo3 Typo3 4.5.8Typo3 Typo3 4.5.9Typo3 Typo3 4.5.10Typo3 Typo3 4.5.11Typo3 Typo3 4.5.12Typo3 Typo3 4.5.13Typo3 Typo3 4.5.14Typo3 Typo3 4.5.15Typo3 Typo3 4.5.16Typo3 Typo3 4.5.17Typo3 Typo3 4.5.18Typo3 Typo3 4.5.19Typo3 Typo3 4.5.20Typo3 Typo3 4.5.21Typo3 Typo3 4.5.22Typo3 Typo3 4.5.23Typo3 Typo3 4.5.24Typo3 Typo3 4.5.25Typo3 Typo3 4.5.26Typo3 Typo3 4.5.27Typo3 Typo3 4.5.28Typo3 Typo3 4.5.29Typo3 Typo3 4.5.30Typo3 Typo3 4.5.31Typo3 Typo3 4.7.0Typo3 Typo3 4.7.1Typo3 Typo3 4.7.2Typo3 Typo3 4.7.3Typo3 Typo3 4.7.4Typo3 Typo3 4.7.5Typo3 Typo3 4.7.6Typo3 Typo3 4.7.7Typo3 Typo3 4.7.8Typo3 Typo3 4.7.9Typo3 Typo3 4.7.10Typo3 Typo3 4.7.11Typo3 Typo3 4.7.12Typo3 Typo3 4.7.13Typo3 Typo3 4.7.14Typo3 Typo3 4.7.15Typo3 Typo3 4.7.16
5
CVSSv2
CVE-2008-7310
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability....
Spreecommerce Spree 0.2.0
5
CVSSv2
CVE-2012-2055
GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass...
Github Github Enterprise
6.5
CVSSv2
CVE-2019-17605
A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via a modified candidate id and an additional password parameter. The outcome is that the password of this...
Eyecomms Eyecms
4
CVSSv2
CVE-2018-20301
An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can...
Coherence Project Coherence
7.5
CVSSv2
CVE-2014-3514
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls....
Rubyonrails Rails 4.0.0Rubyonrails Rails 4.0.1Rubyonrails Rails 4.0.2Rubyonrails Rails 4.0.3Rubyonrails Rails 4.0.4Rubyonrails Rails 4.0.5Rubyonrails Rails 4.0.6Rubyonrails Rails 4.0.7Rubyonrails Rails 4.0.8Rubyonrails Rails 4.1.0Rubyonrails Rails 4.1.1Rubyonrails Rails 4.1.2Rubyonrails Rails 4.1.3Rubyonrails Rails 4.1.4
5
CVSSv2
CVE-2012-2054
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, (4) MembersController, (5) Message, (6) News, (7) TimeEntry,...
Redmine Redmine 0.1.0Redmine Redmine 0.2.1Redmine Redmine 0.2.2Redmine Redmine 0.3.0Redmine Redmine 0.4.0Redmine Redmine 0.4.1Redmine Redmine 0.4.2Redmine Redmine 0.5.0Redmine Redmine 0.5.1Redmine Redmine 0.6.0Redmine Redmine 0.6.1Redmine Redmine 0.6.2Redmine Redmine 0.6.3Redmine Redmine 0.6.4Redmine Redmine 0.7.0Redmine Redmine 0.7.1Redmine Redmine 0.7.2Redmine Redmine 0.7.3Redmine Redmine 0.7.4Redmine Redmine 0.8.0Redmine Redmine 0.8.1Redmine Redmine 0.8.2Redmine Redmine 0.8.3Redmine Redmine 0.8.4Redmine Redmine 0.8.5Redmine Redmine 0.8.6Redmine Redmine 0.8.7Redmine Redmine 0.9.0Redmine Redmine 0.9.1Redmine Redmine 0.9.2Redmine Redmine 0.9.3Redmine Redmine 0.9.4Redmine Redmine 0.9.5Redmine Redmine 0.9.6Redmine Redmine 1.0.0Redmine Redmine 1.0.1Redmine Redmine 1.0.2Redmine Redmine 1.0.3Redmine Redmine 1.0.4Redmine Redmine 1.0.5Redmine Redmine 1.1.0Redmine Redmine 1.1.1Redmine Redmine 1.1.2Redmine Redmine 1.1.3Redmine Redmine 1.2.0Redmine Redmine 1.2.1Redmine Redmine 1.2.2Redmine Redmine 1.2.3Redmine Redmine 1.3.0Redmine Redmine
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-3691insecure direct object referenceCVE-2021-1140CVE-2021-2109information disclosureCVE-2021-1303CVE-2021-1304IDORCVE-2020-14882