CWE-915
AllowedImproperly Controlled Modification of Dynamically-Determined Object Attributes
Abstraction: Base · Status: Incomplete
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
276 vulnerabilities reference this CWE, most recent first.
GHSA-2GHC-6V89-PW9J
Vulnerability from github – Published: 2021-09-14 20:25 – Updated: 2022-08-10 23:37body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "body-parser-xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3666"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-14T18:39:31Z",
"nvd_published_at": "2021-09-13T18:15:00Z",
"severity": "HIGH"
},
"details": "body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
"id": "GHSA-2ghc-6v89-pw9j",
"modified": "2022-08-10T23:37:49Z",
"published": "2021-09-14T20:25:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3666"
},
{
"type": "WEB",
"url": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63"
},
{
"type": "PACKAGE",
"url": "https://github.com/fiznool/body-parser-xml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "body-parser-xml vulnerable to Prototype Pollution"
}
GHSA-2JX3-65F3-XR8R
Vulnerability from github – Published: 2026-06-18 21:07 – Updated: 2026-06-18 21:07Summary
OTPHP\Factory::loadFromProvisioningUri() parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter($key, $value). setParameter() resolves the name with property_exists($this, $parameter) and performs a dynamic write $this->{$parameter} = $value (src/OTP.php:196-197). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: parameters, issuer, label, issuer_included_as_parameter, and (on TOTP) the readonly clock. This is an instance of object property mass-assignment (CWE-915).
Impact
The Factory is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:
- State corruption. A URI such as
otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP¶meters[foo]=baroverwrites the whole internal$parametersarray thatcreateFromSecret()primed (period,algorithm,digits,epoch). The resulting object is silently unusable:getProvisioningUri(),getDigits(),at(),verify()then throwParameterNotFoundException. - Uncaught TypeError escaping the documented exception type. A URI such as
otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer_included_as_parameter=notaboolassigns a string to a typedboolproperty and raises aTypeError. Thetry/catchinloadFromProvisioningUri()only wrapsUrl::fromString();createOTP()andpopulateOTP()run outside it, so theTypeError(andErroron the readonlyclock) escapes past the documentedInvalidProvisioningUriException, breaking callers that catch only the documented type. - Label/issuer validation bypass.
parameters[label]=hijackedstores a label into the parameters array without running thelabelvalidation callback (keyed onlabel, notparameters).getLabel()andgetParameter('label')then disagree — a confused-deputy risk.
Affected component
src/OTP.php:187-201—setParameter()dynamic property writesrc/Factory.php:50-55—populateParameters()forwarding all query keys
Proof of concept
use OTPHP\Factory;
// State corruption
$otp = Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP¶meters[foo]=bar',
$clock
);
$otp->getProvisioningUri(); // ParameterNotFoundException: Parameter "period" does not exist
// Uncaught TypeError
Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer_included_as_parameter=notabool',
$clock
); // TypeError escapes InvalidProvisioningUriException
Remediation
Restrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via property_exists. Route all URI-sourced values through the validated parameter map only.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "spomky-labs/otphp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T21:07:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`OTPHP\\Factory::loadFromProvisioningUri()` parses an attacker-supplied `otpauth://` URI and forwards **every** query key to `OTP::setParameter($key, $value)`. `setParameter()` resolves the name with `property_exists($this, $parameter)` and performs a dynamic write `$this-\u003e{$parameter} = $value` (`src/OTP.php:196-197`). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: `parameters`, `issuer`, `label`, `issuer_included_as_parameter`, and (on TOTP) the readonly `clock`. This is an instance of object property mass-assignment (CWE-915).\n\n## Impact\n\nThe `Factory` is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:\n\n- **State corruption.** A URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026parameters[foo]=bar` overwrites the whole internal `$parameters` array that `createFromSecret()` primed (`period`, `algorithm`, `digits`, `epoch`). The resulting object is silently unusable: `getProvisioningUri()`, `getDigits()`, `at()`, `verify()` then throw `ParameterNotFoundException`.\n- **Uncaught TypeError escaping the documented exception type.** A URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026issuer_included_as_parameter=notabool` assigns a string to a typed `bool` property and raises a `TypeError`. The `try/catch` in `loadFromProvisioningUri()` only wraps `Url::fromString()`; `createOTP()` and `populateOTP()` run outside it, so the `TypeError` (and `Error` on the readonly `clock`) escapes past the documented `InvalidProvisioningUriException`, breaking callers that catch only the documented type.\n- **Label/issuer validation bypass.** `parameters[label]=hijacked` stores a label into the parameters array without running the `label` validation callback (keyed on `label`, not `parameters`). `getLabel()` and `getParameter(\u0027label\u0027)` then disagree \u2014 a confused-deputy risk.\n\n## Affected component\n\n- `src/OTP.php:187-201` \u2014 `setParameter()` dynamic property write\n- `src/Factory.php:50-55` \u2014 `populateParameters()` forwarding all query keys\n\n## Proof of concept\n\n```php\nuse OTPHP\\Factory;\n\n// State corruption\n$otp = Factory::loadFromProvisioningUri(\n \u0027otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026parameters[foo]=bar\u0027,\n $clock\n);\n$otp-\u003egetProvisioningUri(); // ParameterNotFoundException: Parameter \"period\" does not exist\n\n// Uncaught TypeError\nFactory::loadFromProvisioningUri(\n \u0027otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026issuer_included_as_parameter=notabool\u0027,\n $clock\n); // TypeError escapes InvalidProvisioningUriException\n```\n\n## Remediation\n\nRestrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via `property_exists`. Route all URI-sourced values through the validated parameter map only.",
"id": "GHSA-2jx3-65f3-xr8r",
"modified": "2026-06-18T21:07:41Z",
"published": "2026-06-18T21:07:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Spomky-Labs/otphp/security/advisories/GHSA-2jx3-65f3-xr8r"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/spomky-labs/otphp/GHSA-2jx3-65f3-xr8r.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/Spomky-Labs/otphp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError"
}
GHSA-2QPH-Q8XW-GV7Q
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-01 19:06Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "10.3.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31674"
],
"database_specific": {
"cwe_ids": [
"CWE-913",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-01T19:06:02Z",
"nvd_published_at": "2025-03-31T22:15:19Z",
"severity": "MODERATE"
},
"details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.",
"id": "GHSA-2qph-q8xw-gv7q",
"modified": "2025-04-01T19:06:02Z",
"published": "2025-04-01T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31674"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2025-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability"
}
GHSA-2RXH-H6H9-QRQC
Vulnerability from github – Published: 2020-05-13 23:18 – Updated: 2021-01-08 20:16Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay)
Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
References
- https://typo3.org/security/advisory/typo3-core-sa-2020-004
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11066"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-13T23:17:19Z",
"nvd_published_at": "2020-05-14T00:15:00Z",
"severity": "HIGH"
},
"details": "Calling unserialize() on malicious user-submitted content can result in the following scenarios:\n- trigger deletion of arbitrary directory in file system (if writable for web server)\n- trigger message submission via email using identity of web site (mail relay)\n\nAnother insecure deserialization vulnerability is required to actually exploit mentioned aspects.\n\nUpdate to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.\n\n### References\n* https://typo3.org/security/advisory/typo3-core-sa-2020-004",
"id": "GHSA-2rxh-h6h9-qrqc",
"modified": "2021-01-08T20:16:34Z",
"published": "2020-05-13T23:18:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11066"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2020-004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Class destructors causing side-effects when being unserialized in TYPO3 CMS"
}
GHSA-2XFC-G69J-X2MP
Vulnerability from github – Published: 2026-03-03 21:00 – Updated: 2026-03-04 18:39Description
The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.
Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship.
Proof of Concept
Prerequisites
- A user account with "Create Entries" permission for a section.
- Victim's account ID (e.g.,
1for the default Admin).
Steps to Reproduce
- Log in as the attacker
- Navigate to the "Entries" section and click "New Entry"
- Fill in the required fields
- Enable a proxy tool (e.g., Burp Suite) to intercept requests
- Click "Save" & Intercept the request
- In the request body, add a new parameter to the body params:
&authorIds[]=<Victim_ID> - Forward the request
- Log in as an admin / as with the victim account
- Go to entries & Observe the newly created entry is listed and the author is the victim account, not the actual creator
Impact
- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.
- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.
Resources
https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28781"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:00:51Z",
"nvd_published_at": "2026-03-04T17:16:21Z",
"severity": "MODERATE"
},
"details": "## Description\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.\n\n## Proof of Concept\n### Prerequisites\n- A user account with \"Create Entries\" permission for a section.\n- Victim\u0027s account ID (e.g., `1` for the default Admin).\n\n### Steps to Reproduce\n1. Log in as the attacker\n1. Navigate to the \"Entries\" section and click \"New Entry\"\n1. Fill in the required fields\n1. Enable a proxy tool (e.g., Burp Suite) to intercept requests\n1. Click \"Save\" \u0026 Intercept the request\n1. In the request body, add a new parameter to the body params: `\u0026authorIds[]=\u003cVictim_ID\u003e`\n1. Forward the request\n1. Log in as an admin / as with the victim account\n1. Go to entries \u0026 Observe the newly created entry is listed and the author is the victim account, not the actual creator\n\n## Impact\n- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.\n- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542\nhttps://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
"id": "GHSA-2xfc-g69j-x2mp",
"modified": "2026-03-04T18:39:05Z",
"published": "2026-03-03T21:00:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Entries Authorship Spoofing via Mass Assignment"
}
GHSA-393C-P46R-7C95
Vulnerability from github – Published: 2026-04-04 06:06 – Updated: 2026-04-09 19:05Summary
A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filename_disk parameter.
Details
The PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.
Impact
- Unauthorized File Overwrite: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
- Remote Code Execution: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.
- Data Integrity Compromise: Files can be tampered with or replaced without visible indication in the application interface.
Mitigation
The filename_disk parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and filename_disk should be excluded from the fields users are permitted to update directly.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39942"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:06:39Z",
"nvd_published_at": "2026-04-09T17:16:29Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the `filename_disk` parameter.\n\n## Details\n\nThe `PATCH /files/{id}` endpoint accepts a user-controlled `filename_disk` parameter. By setting this value to match the storage path of another user\u0027s file, an attacker can overwrite that file\u0027s content while manipulating metadata fields such as `uploaded_by` to obscure the tampering.\n\n## Impact\n\n- **Unauthorized File Overwrite**: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.\n- **Remote Code Execution**: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.\n- **Data Integrity Compromise**: Files can be tampered with or replaced without visible indication in the application interface.\n\n## Mitigation\n\nThe `filename_disk` parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and `filename_disk` should be excluded from the fields users are permitted to update directly.",
"id": "GHSA-393c-p46r-7c95",
"modified": "2026-04-09T19:05:27Z",
"published": "2026-04-04T06:06:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39942"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: Path Traversal and Broken Access Control in File Management API"
}
GHSA-3C9C-2P65-QVWV
Vulnerability from github – Published: 2021-09-27 20:12 – Updated: 2022-05-26 19:50Impact
The vulnerability exposes Aurelia application that uses aurelia-path package to parse a string. The majority of this will be Aurelia applications that employ the aurelia-router package. An example is this could allow an attacker to change the prototype of base object class Object by tricking an application to parse the following URL: https://aurelia.io/blog/?__proto__[asdf]=asdf
Patches
The problem should be patched in version 1.1.7. Any version earlier than this is vulnerable.
Workarounds
A partial work around is to free the Object prototype:
Object.freeze(Object.prototype)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "aurelia-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41097"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-27T19:18:37Z",
"nvd_published_at": "2021-09-27T18:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThe vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`\n\n### Patches\nThe problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable.\n\n### Workarounds\nA partial work around is to free the Object prototype:\n```ts\nObject.freeze(Object.prototype)\n```",
"id": "GHSA-3c9c-2p65-qvwv",
"modified": "2022-05-26T19:50:24Z",
"published": "2021-09-27T20:12:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41097"
},
{
"type": "WEB",
"url": "https://github.com/aurelia/path/issues/44"
},
{
"type": "WEB",
"url": "https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1"
},
{
"type": "PACKAGE",
"url": "https://github.com/aurelia/path"
},
{
"type": "WEB",
"url": "https://github.com/aurelia/path/releases/tag/1.1.7"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/aurelia-path"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in aurelia-path"
}
GHSA-3GQC-3HVH-6HCG
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.
{
"affected": [],
"aliases": [
"CVE-2018-6195"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-30T20:29:00Z",
"severity": "HIGH"
},
"details": "admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the \u0027session\u0027 HTTP GET parameter to wp-admin/upload.php.",
"id": "GHSA-3gqc-3hvh-6hcg",
"modified": "2022-05-13T01:20:30Z",
"published": "2022-05-13T01:20:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6195"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/1807349/wp-splashing-images"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/9015"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/146109/WordPress-Splashing-Images-2.1-Cross-Site-Scripting-PHP-Object-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jan/91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3M77-J76G-6PHR
Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-04-16 00:30A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a role property with admin value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.
{
"affected": [],
"aliases": [
"CVE-2024-0404"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T00:15:07Z",
"severity": "CRITICAL"
},
"details": "A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.",
"id": "GHSA-3m77-j76g-6phr",
"modified": "2024-04-16T00:30:32Z",
"published": "2024-04-16T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0404"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MGQ-766R-8VR6
Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-03 21:30HCL MyXalytics: 6.6. is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.
{
"affected": [],
"aliases": [
"CVE-2025-52656"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T19:15:46Z",
"severity": "HIGH"
},
"details": "HCL MyXalytics: 6.6.\u00a0\u00a0is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.",
"id": "GHSA-3mgq-766r-8vr6",
"modified": "2025-10-03T21:30:58Z",
"published": "2025-10-03T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52656"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
- If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
- For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No CAPEC attack patterns related to this CWE.