This bears some resemblance to SQL Injection , only now because of an automation that a Framework provides to decrease coding work. It usually occurs with MVC and ORM.

What usually happens is that what comes from the URL is deserialized to an object that is subsequently persisted in the database. If you do not limit what should be deserialized it is possible to send data that should not be changed by something that comes from outside. Can change a password, change the balance, reset some history, change an identity, etc.

Depending on the system can cause the same damage as SQL Injection , although it is likely that something less worse will occur.

Is the old problem of having to validate all information that comes from external source to the application. It occurs when you do it in your hand and when you don't know how to use the right Framework. You never have control over what from outside, just accept what you are sure that no danger, block everything else.

The Bind helps, but does not solve everything. It has cases that validation is not" can or can't " receive the field, it has the way it can and the way it can't.

Most of the applications you have out there are subject to this, including written by experienced people. I have seen course taken as good that leaves this gap without being covered, it is taught to do the damage, but not how to combat it.

See more in using validation via client is enough?.