CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

View on MITRE

Back to CWE Lookup

Extended Description

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Technical Details

Structure: Simple

Applicable To

Languages

RubyASP.NETPHPPythonNot Language-Specific

Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-915

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references