Common Weakness Enumeration

CWE-915

Allowed

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · Status: Incomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

276 vulnerabilities reference this CWE, most recent first.

GHSA-2GHC-6V89-PW9J

Vulnerability from github – Published: 2021-09-14 20:25 – Updated: 2022-08-10 23:37
VLAI
Summary
body-parser-xml vulnerable to Prototype Pollution
Details

body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "body-parser-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-14T18:39:31Z",
    "nvd_published_at": "2021-09-13T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
  "id": "GHSA-2ghc-6v89-pw9j",
  "modified": "2022-08-10T23:37:49Z",
  "published": "2021-09-14T20:25:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fiznool/body-parser-xml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "body-parser-xml vulnerable to Prototype Pollution"
}

GHSA-2JX3-65F3-XR8R

Vulnerability from github – Published: 2026-06-18 21:07 – Updated: 2026-06-18 21:07
VLAI
Summary
spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError
Details

Summary

OTPHP\Factory::loadFromProvisioningUri() parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter($key, $value). setParameter() resolves the name with property_exists($this, $parameter) and performs a dynamic write $this->{$parameter} = $value (src/OTP.php:196-197). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: parameters, issuer, label, issuer_included_as_parameter, and (on TOTP) the readonly clock. This is an instance of object property mass-assignment (CWE-915).

Impact

The Factory is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:

  • State corruption. A URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&parameters[foo]=bar overwrites the whole internal $parameters array that createFromSecret() primed (period, algorithm, digits, epoch). The resulting object is silently unusable: getProvisioningUri(), getDigits(), at(), verify() then throw ParameterNotFoundException.
  • Uncaught TypeError escaping the documented exception type. A URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer_included_as_parameter=notabool assigns a string to a typed bool property and raises a TypeError. The try/catch in loadFromProvisioningUri() only wraps Url::fromString(); createOTP() and populateOTP() run outside it, so the TypeError (and Error on the readonly clock) escapes past the documented InvalidProvisioningUriException, breaking callers that catch only the documented type.
  • Label/issuer validation bypass. parameters[label]=hijacked stores a label into the parameters array without running the label validation callback (keyed on label, not parameters). getLabel() and getParameter('label') then disagree — a confused-deputy risk.

Affected component

  • src/OTP.php:187-201setParameter() dynamic property write
  • src/Factory.php:50-55populateParameters() forwarding all query keys

Proof of concept

use OTPHP\Factory;

// State corruption
$otp = Factory::loadFromProvisioningUri(
    'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&parameters[foo]=bar',
    $clock
);
$otp->getProvisioningUri(); // ParameterNotFoundException: Parameter "period" does not exist

// Uncaught TypeError
Factory::loadFromProvisioningUri(
    'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer_included_as_parameter=notabool',
    $clock
); // TypeError escapes InvalidProvisioningUriException

Remediation

Restrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via property_exists. Route all URI-sourced values through the validated parameter map only.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "spomky-labs/otphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T21:07:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`OTPHP\\Factory::loadFromProvisioningUri()` parses an attacker-supplied `otpauth://` URI and forwards **every** query key to `OTP::setParameter($key, $value)`. `setParameter()` resolves the name with `property_exists($this, $parameter)` and performs a dynamic write `$this-\u003e{$parameter} = $value` (`src/OTP.php:196-197`). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: `parameters`, `issuer`, `label`, `issuer_included_as_parameter`, and (on TOTP) the readonly `clock`. This is an instance of object property mass-assignment (CWE-915).\n\n## Impact\n\nThe `Factory` is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:\n\n- **State corruption.** A URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026parameters[foo]=bar` overwrites the whole internal `$parameters` array that `createFromSecret()` primed (`period`, `algorithm`, `digits`, `epoch`). The resulting object is silently unusable: `getProvisioningUri()`, `getDigits()`, `at()`, `verify()` then throw `ParameterNotFoundException`.\n- **Uncaught TypeError escaping the documented exception type.** A URI such as `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026issuer_included_as_parameter=notabool` assigns a string to a typed `bool` property and raises a `TypeError`. The `try/catch` in `loadFromProvisioningUri()` only wraps `Url::fromString()`; `createOTP()` and `populateOTP()` run outside it, so the `TypeError` (and `Error` on the readonly `clock`) escapes past the documented `InvalidProvisioningUriException`, breaking callers that catch only the documented type.\n- **Label/issuer validation bypass.** `parameters[label]=hijacked` stores a label into the parameters array without running the `label` validation callback (keyed on `label`, not `parameters`). `getLabel()` and `getParameter(\u0027label\u0027)` then disagree \u2014 a confused-deputy risk.\n\n## Affected component\n\n- `src/OTP.php:187-201` \u2014 `setParameter()` dynamic property write\n- `src/Factory.php:50-55` \u2014 `populateParameters()` forwarding all query keys\n\n## Proof of concept\n\n```php\nuse OTPHP\\Factory;\n\n// State corruption\n$otp = Factory::loadFromProvisioningUri(\n    \u0027otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026parameters[foo]=bar\u0027,\n    $clock\n);\n$otp-\u003egetProvisioningUri(); // ParameterNotFoundException: Parameter \"period\" does not exist\n\n// Uncaught TypeError\nFactory::loadFromProvisioningUri(\n    \u0027otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026issuer_included_as_parameter=notabool\u0027,\n    $clock\n); // TypeError escapes InvalidProvisioningUriException\n```\n\n## Remediation\n\nRestrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via `property_exists`. Route all URI-sourced values through the validated parameter map only.",
  "id": "GHSA-2jx3-65f3-xr8r",
  "modified": "2026-06-18T21:07:41Z",
  "published": "2026-06-18T21:07:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Spomky-Labs/otphp/security/advisories/GHSA-2jx3-65f3-xr8r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/spomky-labs/otphp/GHSA-2jx3-65f3-xr8r.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Spomky-Labs/otphp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError"
}

GHSA-2QPH-Q8XW-GV7Q

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-01 19:06
VLAI
Summary
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "10.3.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.4.0"
            },
            {
              "fixed": "10.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.0"
            },
            {
              "fixed": "11.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-01T19:06:02Z",
    "nvd_published_at": "2025-03-31T22:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.",
  "id": "GHSA-2qph-q8xw-gv7q",
  "modified": "2025-04-01T19:06:02Z",
  "published": "2025-04-01T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31674"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2025-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability"
}

GHSA-2RXH-H6H9-QRQC

Vulnerability from github – Published: 2020-05-13 23:18 – Updated: 2021-01-08 20:16
VLAI
Summary
Class destructors causing side-effects when being unserialized in TYPO3 CMS
Details

Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay)

Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.

References

  • https://typo3.org/security/advisory/typo3-core-sa-2020-004
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-13T23:17:19Z",
    "nvd_published_at": "2020-05-14T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Calling unserialize() on malicious user-submitted content can result in the following scenarios:\n- trigger deletion of arbitrary directory in file system (if writable for web server)\n- trigger message submission via email using identity of web site (mail relay)\n\nAnother insecure deserialization vulnerability is required to actually exploit mentioned aspects.\n\nUpdate to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.\n\n### References\n* https://typo3.org/security/advisory/typo3-core-sa-2020-004",
  "id": "GHSA-2rxh-h6h9-qrqc",
  "modified": "2021-01-08T20:16:34Z",
  "published": "2020-05-13T23:18:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Class destructors causing side-effects when being unserialized in TYPO3 CMS"
}

GHSA-2XFC-G69J-X2MP

Vulnerability from github – Published: 2026-03-03 21:00 – Updated: 2026-03-04 18:39
VLAI
Summary
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Details

Description

The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.

Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship.

Proof of Concept

Prerequisites

  • A user account with "Create Entries" permission for a section.
  • Victim's account ID (e.g., 1 for the default Admin).

Steps to Reproduce

  1. Log in as the attacker
  2. Navigate to the "Entries" section and click "New Entry"
  3. Fill in the required fields
  4. Enable a proxy tool (e.g., Burp Suite) to intercept requests
  5. Click "Save" & Intercept the request
  6. In the request body, add a new parameter to the body params: &authorIds[]=<Victim_ID>
  7. Forward the request
  8. Log in as an admin / as with the victim account
  9. Go to entries & Observe the newly created entry is listed and the author is the victim account, not the actual creator

Impact

  • A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.
  • An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.

Resources

https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:00:51Z",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "severity": "MODERATE"
  },
  "details": "## Description\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.\n\n## Proof of Concept\n### Prerequisites\n- A user account with \"Create Entries\" permission for a section.\n- Victim\u0027s account ID (e.g., `1` for the default Admin).\n\n### Steps to Reproduce\n1. Log in as the attacker\n1. Navigate to the \"Entries\" section and click \"New Entry\"\n1. Fill in the required fields\n1. Enable a proxy tool (e.g., Burp Suite) to intercept requests\n1. Click \"Save\" \u0026 Intercept the request\n1. In the request body, add a new parameter to the body params: `\u0026authorIds[]=\u003cVictim_ID\u003e`\n1. Forward the request\n1. Log in as an admin / as with the victim account\n1. Go to entries \u0026 Observe the newly created entry is listed and the author is the victim account, not the actual creator\n\n## Impact\n- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.\n- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542\nhttps://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
  "id": "GHSA-2xfc-g69j-x2mp",
  "modified": "2026-03-04T18:39:05Z",
  "published": "2026-03-03T21:00:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: Entries Authorship Spoofing via Mass Assignment"
}

GHSA-393C-P46R-7C95

Vulnerability from github – Published: 2026-04-04 06:06 – Updated: 2026-04-09 19:05
VLAI
Summary
Directus: Path Traversal and Broken Access Control in File Management API
Details

Summary

A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filename_disk parameter.

Details

The PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.

Impact

  • Unauthorized File Overwrite: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
  • Remote Code Execution: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.
  • Data Integrity Compromise: Files can be tampered with or replaced without visible indication in the application interface.

Mitigation

The filename_disk parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and filename_disk should be excluded from the fields users are permitted to update directly.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:06:39Z",
    "nvd_published_at": "2026-04-09T17:16:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the `filename_disk` parameter.\n\n## Details\n\nThe `PATCH /files/{id}` endpoint accepts a user-controlled `filename_disk` parameter. By setting this value to match the storage path of another user\u0027s file, an attacker can overwrite that file\u0027s content while manipulating metadata fields such as `uploaded_by` to obscure the tampering.\n\n## Impact\n\n- **Unauthorized File Overwrite**: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.\n- **Remote Code Execution**: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.\n- **Data Integrity Compromise**: Files can be tampered with or replaced without visible indication in the application interface.\n\n## Mitigation\n\nThe `filename_disk` parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and `filename_disk` should be excluded from the fields users are permitted to update directly.",
  "id": "GHSA-393c-p46r-7c95",
  "modified": "2026-04-09T19:05:27Z",
  "published": "2026-04-04T06:06:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39942"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus: Path Traversal and Broken Access Control in File Management API"
}

GHSA-3C9C-2P65-QVWV

Vulnerability from github – Published: 2021-09-27 20:12 – Updated: 2022-05-26 19:50
VLAI
Summary
Prototype pollution in aurelia-path
Details

Impact

The vulnerability exposes Aurelia application that uses aurelia-path package to parse a string. The majority of this will be Aurelia applications that employ the aurelia-router package. An example is this could allow an attacker to change the prototype of base object class Object by tricking an application to parse the following URL: https://aurelia.io/blog/?__proto__[asdf]=asdf

Patches

The problem should be patched in version 1.1.7. Any version earlier than this is vulnerable.

Workarounds

A partial work around is to free the Object prototype:

Object.freeze(Object.prototype)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "aurelia-path"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-27T19:18:37Z",
    "nvd_published_at": "2021-09-27T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`\n\n### Patches\nThe problem should be patched in version `1.1.7`. Any version earlier than this is vulnerable.\n\n### Workarounds\nA partial work around is to free the Object prototype:\n```ts\nObject.freeze(Object.prototype)\n```",
  "id": "GHSA-3c9c-2p65-qvwv",
  "modified": "2022-05-26T19:50:24Z",
  "published": "2021-09-27T20:12:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aurelia/path/issues/44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aurelia/path"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aurelia/path/releases/tag/1.1.7"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/aurelia-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in aurelia-path"
}

GHSA-3GQC-3HVH-6HCG

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20
VLAI
Details

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-30T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the \u0027session\u0027 HTTP GET parameter to wp-admin/upload.php.",
  "id": "GHSA-3gqc-3hvh-6hcg",
  "modified": "2022-05-13T01:20:30Z",
  "published": "2022-05-13T01:20:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6195"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/1807349/wp-splashing-images"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9015"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/146109/WordPress-Splashing-Images-2.1-Cross-Site-Scripting-PHP-Object-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Jan/91"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M77-J76G-6PHR

Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-04-16 00:30
VLAI
Details

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a role property with admin value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-16T00:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.",
  "id": "GHSA-3m77-j76g-6phr",
  "modified": "2024-04-16T00:30:32Z",
  "published": "2024-04-16T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0404"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MGQ-766R-8VR6

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-03 21:30
VLAI
Details

HCL MyXalytics: 6.6.  is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T19:15:46Z",
    "severity": "HIGH"
  },
  "details": "HCL MyXalytics: 6.6.\u00a0\u00a0is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.",
  "id": "GHSA-3mgq-766r-8vr6",
  "modified": "2025-10-03T21:30:58Z",
  "published": "2025-10-03T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52656"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation
  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.