| عنوان | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| الوصف | The PUT /sys/selectDepart endpoint binds a full SysUser entity from the request body and directly persists the client-supplied orgCode and loginTenantId to the database without any server-side validation—no permission annotation,no department membership check, no tenant ownership verification. Any authenticated user, including those with only the default test role, can set these fields to arbitrary values, effectively switching their session context to any department or tenant in the system. When chained with the userEdit self-escalation, an attacker who switches into a target department's context and elevates their userIdentity to 2 with departIds pointed at that department can then query its complete member list via departUserList, gaining visibility into organizational data they have nolegitimate access to. The impact is that the department and tenant boundaries—JeecgBoot's primary data isolation mechanism—can be crossed at will by any logged-in user in two requests, with no administrative privileges required. |
|---|
| المصدر | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9597 |
|---|
| المستخدم | AliceS614 (UID 94277) |
|---|
| ارسال | 02/05/2026 11:40 AM (1 شهر منذ) |
|---|
| الاعتدال | 26/05/2026 02:50 PM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365636 [JeecgBoot حتى 3.9.1 /sys/selectDepart LoginController.selectDepart تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|