| عنوان | 20120630 novel-plus commitID 0e156c04b4b7ce0563bef6c97af4476fcda8f160 broken function level authorization |
|---|
| الوصف | Vulnerability 3 – User Session Leak (CVE-2)
Title: User Session Information Disclosed via Unauthenticated Endpoint
Details:
File: novel-system/src/main/java/com/java2nb/system/controller/SessionController.java
Endpoint: GET /list
Returns: List<UserOnline> including session IDs, IP addresses, login timestamps.
Example Request:
curl http://target-ip:port/list
Impact: Attackers can retrieve real-time user session data, which could be exploited for social engineering or session hijacking.
CWE: CWE-306 |
|---|
| المصدر | ⚠️ https://www.cnblogs.com/aibot/p/18827502 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 15/04/2025 03:04 PM (1 سنة منذ) |
|---|
| الاعتدال | 27/04/2025 07:53 PM (12 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 306368 [20120630 Novel-Plus حتى 0e156c04b4b7ce0563bef6c97af4476fcda8f160 SessionController.java list توثيق ضعيف] |
|---|
| النقاط | 0 |
|---|