mass assignment vulnerabilities and exploits

(subscribe to this query)

6

CVSSv2

The create method in app/controllers/users_controller.rb in Foreman prior to 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

Theforeman Foreman Redhat Openstack 3.0 Theforeman Foreman 1.1

1 EDB exploit

4.3

CVSSv2

An issue exists in Laravel prior to 6.18.34 and 7.x prior to 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

Laravel Laravel

4

CVSSv2

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x prior to 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

Spreecommerce Spree 1.1.1 Spreecommerce Spree 1.1.3 Spreecommerce Spree 1.2.1 Spreecommerce Spree 1.2.3 Spreecommerce Spree 1.1.4 Spreecommerce Spree 1.1.5 Spreecommerce Spree 1.1.6 Spreecommerce Spree 1.2.0 Spreecommerce Spree 1.3.0 Spreecommerce Spree 1.3.1 Spreecommerce Spree 1.3.2 Spreecommerce Spree 1.1.0 Spreecommerce Spree 1.1.2 Spreecommerce Spree 1.2.2 Spreecommerce Spree 1.2.4

5

CVSSv2

Insoshi prior to 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote malicious users to set the ForumPost user_id value via a modified URL, related to a "mass assignment" vulnerability.

Insoshi Insoshi

5

CVSSv2

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote malicious users to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerabili...

Spreecommerce Spree 0.2.0

5

CVSSv2

GitHub Enterprise prior to 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote malicious users to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass as...

Github Github

6.4

CVSSv2

org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect up to and including 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the...

Mitreid Connect

1 Github repository

6.5

CVSSv2

A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via a modified candidate id and an additional password parameter. The outcome is that the password of this ...

Eyecomms Eyecms

4

CVSSv2

An issue exists in Steve Pallen Coherence prior to 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically...

Coherence Project Coherence

Get Started

1 2 3 NEXT »

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook