| عنوان | jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR(arbitrary account deletion) |
|---|
| الوصف | A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to the /jshERP-boot/user/deleteBatch endpoint to perform unauthorized batch operations, which should only be accessible by system administrator accounts. This allows attackers to target and affect multiple user accounts simultaneously. |
|---|
| المصدر | ⚠️ https://github.com/jishenghua/jshERP/issues/126 |
|---|
| المستخدم | ez-lbz (UID 87033) |
|---|
| ارسال | 25/07/2025 04:37 PM (9 أشهر منذ) |
|---|
| الاعتدال | 10/08/2025 01:31 PM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 319374 [jshERP حتى 3.5 Endpoint deleteBatch ids تجاوز الصلاحيات] |
|---|
| النقاط | 19 |
|---|