This page collects WhisperX intelligence signals tagged #cwe-915. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw has been automatically flagged in a public Ruby on Rails demonstration repository. The RSOLV security scanner identified a HIGH-severity Mass Assignment vulnerability in the `arubis/railsgoat-vulnerability-demo` project, pinpointing a single, dangerous line of code that could compromise applica...
一个严重的安全漏洞潜伏在用户资料更新接口中,允许任何经过身份验证的用户通过一次简单的 API 请求,将自己提升为拥有完全权限的系统管理员。该漏洞源于 `src/api/users.js` 文件中的一段危险代码,它不加区分地将客户端请求的所有字段合并到用户对象中。攻击者只需向 `/api/users/profile` 发送一个包含 `"role": "admin"` 字段的 PUT 请求,即可瞬间获得管理员身份。 此漏洞被归类为 CWE-915(大规模赋值漏洞),其核心风险在于代码逻辑的过度信任。在文件的第32至40行,开发者使用了对象展开运算符 `{ ...user, ...req.body, updatedAt: new Dat...
A critical security flaw has been flagged in the `arubis/railsgoat-vulnerability-demo` repository, exposing a high-severity mass assignment vulnerability. The issue, automatically detected by the RSOLV security scanner, centers on line 50 of the `app/controllers/users_controller.rb` file. The controller uses `params.re...