जमा करें #780607: z-9527 admin ≤ commit 72aaf2d Dynamically-Determined Object Attributesजानकारी

शीर्षकz-9527 admin ≤ commit 72aaf2d Dynamically-Determined Object Attributes
विवरणA mass assignment vulnerability exists in Z-9527 Admin ≤ commit 72aaf2d at the /user/update endpoint, where user-supplied parameters are directly iterated and incorporated into SQL UPDATE statements without field whitelisting. As a result, authenticated attackers can modify arbitrary database columns, including privilege-escalation fields such as isAdmin. Mitigations include implementing a strict whitelist of updatable fields, using an ORM with explicit field mapping, validating all input parameters against allowed attributes, separating privileged fields into admin-only update routes, and applying role-based access control before processing any update operations.
स्रोत⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-11
उपयोगकर्ता
 Anonymous User
सबमिशन16/03/2026 04:37 AM (4 महीनों पहले)
संयम31/03/2026 06:11 PM (16 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि354441 [z-9527 admin 1.0/2.0 User Update Endpoint /server/routes/user.js isAdmin अधिकार वृद्धि]
अंक20

Interested in the pricing of exploits?

See the underground prices here!