CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
781 vulnerabilities reference this CWE, most recent first.
GHSA-C7M7-4257-H698
Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:29All versions of package templ8 up to and including 0.0.44 are vulnerable to Prototype Pollution via the parse function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "templ8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.44"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7702"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:29:36Z",
"nvd_published_at": "2020-08-17T14:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package templ8 up to and including 0.0.44 are vulnerable to Prototype Pollution via the parse function.",
"id": "GHSA-c7m7-4257-h698",
"modified": "2021-05-05T21:29:36Z",
"published": "2021-05-06T17:29:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7702"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-TEMPL8-598770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in templ8"
}
GHSA-C8XV-5998-G76H
Vulnerability from github – Published: 2026-05-14 16:17 – Updated: 2026-05-14 16:17Impact
An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.
Patches
The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the HTTP Request node by adding n8n-nodes-base.httpRequest to the NODES_EXCLUDE environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.43"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.21.0"
},
{
"fixed": "2.22.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-rc.0"
},
{
"fixed": "2.20.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44789"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T16:17:23Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Impact\nAn authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"id": "GHSA-c8xv-5998-g76h",
"modified": "2026-05-14T16:17:23Z",
"published": "2026-05-14T16:17:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "n8n: HTTP Request Node Pagination Prototype Pollution to RCE"
}
GHSA-CC8P-78QF-8P7Q
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-26 18:31A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "proto"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-57347"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T19:15:39Z",
"severity": "CRITICAL"
},
"details": "A vulnerability exists in the \u0027dagre-d3-es\u0027 Node.js package version 7.0.9, specifically within the \u0027bk\u0027 module\u0027s addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., \"__proto__\"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.",
"id": "GHSA-cc8p-78qf-8p7q",
"modified": "2025-09-26T18:31:19Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57347"
},
{
"type": "WEB",
"url": "https://github.com/tbo47/dagre-es/issues/52"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFGR-75JX-H88G
Vulnerability from github – Published: 2022-10-31 19:00 – Updated: 2024-04-22 23:20Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.8.15"
},
"package": {
"ecosystem": "npm",
"name": "browserify-shim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37623"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:20:54Z",
"nvd_published_at": "2022-10-31T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.",
"id": "GHSA-cfgr-75jx-h88g",
"modified": "2024-04-22T23:20:54Z",
"published": "2022-10-31T19:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37623"
},
{
"type": "WEB",
"url": "https://github.com/thlorenz/browserify-shim/issues/248"
},
{
"type": "WEB",
"url": "https://github.com/thlorenz/browserify-shim/pull/246"
},
{
"type": "WEB",
"url": "https://github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338"
},
{
"type": "PACKAGE",
"url": "https://github.com/thlorenz/browserify-shim"
},
{
"type": "WEB",
"url": "https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158"
},
{
"type": "WEB",
"url": "https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L94"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "thlorenz browserify-shim vulnerable to prototype pollution"
}
GHSA-CFW5-2VXH-HR84
Vulnerability from github – Published: 2026-03-12 14:13 – Updated: 2026-03-12 14:13In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "devalue"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30226"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:13:03Z",
"nvd_published_at": "2026-03-11T18:16:22Z",
"severity": "MODERATE"
},
"details": "In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.",
"id": "GHSA-cfw5-2vxh-hr84",
"modified": "2026-03-12T14:13:03Z",
"published": "2026-03-12T14:13:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30226"
},
{
"type": "PACKAGE",
"url": "https://github.com/sveltejs/devalue"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "devalue has prototype pollution in devalue.parse and devalue.unflatten"
}
GHSA-CH82-GQH6-9XJ9
Vulnerability from github – Published: 2020-09-04 15:13 – Updated: 2020-08-31 18:55All versions of get-setter are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "get-setter"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:55:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All versions of `get-setter` are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
"id": "GHSA-ch82-gqh6-9xj9",
"modified": "2020-08-31T18:55:25Z",
"published": "2020-09-04T15:13:19Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1332"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in get-setter"
}
GHSA-CJ63-JHHR-WCXV
Vulnerability from github – Published: 2026-04-03 03:45 – Updated: 2026-05-29 21:46Summary
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWED_ATTR[lcName], any Array.prototype property that is polluted also counts as an allowlisted attribute. An attacker who can set Array.prototype.onclick = true (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as onclick even when they are normally forbidden. The provided PoC sanitizes <img onclick=...> with USE_PROFILES and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.
Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.
Credits
Identified by Cantina’s Apex (https://www.cantina.security).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.1"
},
"package": {
"ecosystem": "npm",
"name": "dompurify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:45:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nWhen `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `\u003cimg onclick=...\u003e` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.\n\n## Impact\nPrototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.\n\n## Credits\nIdentified by Cantina\u2019s Apex (https://www.cantina.security).",
"id": "GHSA-cj63-jhhr-wcxv",
"modified": "2026-05-29T21:46:57Z",
"published": "2026-04-03T03:45:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv"
},
{
"type": "PACKAGE",
"url": "https://github.com/cure53/DOMPurify"
},
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DOMPurify USE_PROFILES prototype pollution allows event handlers"
}
GHSA-CMXG-94MG-JQ94
Vulnerability from github – Published: 2026-05-18 17:07 – Updated: 2026-05-18 17:07Impact
Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().
Patches
A fix is available in versions 20260509.0340.15 and up.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@tmlmobilidade/utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20260509.0340.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45325"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:07:04Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nPrototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().\n\n### Patches\nA fix is available in versions 20260509.0340.15 and up.",
"id": "GHSA-cmxg-94mg-jq94",
"modified": "2026-05-18T17:07:04Z",
"published": "2026-05-18T17:07:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tmlmobilidade/go/security/advisories/GHSA-cmxg-94mg-jq94"
},
{
"type": "WEB",
"url": "https://github.com/tmlmobilidade/go/commit/b10505baa7ba0701f830a05f3007c0a6bdd00eb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/tmlmobilidade/go"
},
{
"type": "WEB",
"url": "https://github.com/tmlmobilidade/go/blob/prd/packages/utils/src/generic/value-at-path.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "@tmlmobilidade/utils has prototype pollution in its setValueAtPath"
}
GHSA-CQQH-49MX-FQ63
Vulnerability from github – Published: 2021-09-13 20:16 – Updated: 2022-08-10 23:45merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@viking04/merge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3645"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-13T19:14:06Z",
"nvd_published_at": "2021-09-10T11:15:00Z",
"severity": "CRITICAL"
},
"details": "merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"id": "GHSA-cqqh-49mx-fq63",
"modified": "2022-08-10T23:45:09Z",
"published": "2021-09-13T20:16:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3645"
},
{
"type": "WEB",
"url": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6"
},
{
"type": "PACKAGE",
"url": "https://github.com/viking04/merge"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "merge vulnerable to Prototype Pollution"
}
GHSA-CR7H-93FH-WHWM
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:52A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "magix-combine-ex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57321"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T17:52:23Z",
"nvd_published_at": "2025-09-24T20:15:31Z",
"severity": "LOW"
},
"details": "A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
"id": "GHSA-cr7h-93fh-whwm",
"modified": "2025-09-25T17:52:42Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57321"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321"
},
{
"type": "PACKAGE",
"url": "https://github.com/thx/magix-combine"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "magix-combine-ex vulnerable to prototype pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.