إرسال #857929: newpanjing simpleui 2026.01.13 at commit 85b887022217b4e46c9a34d227dbf38fef1e7a92 CWE-862 Missing Authorization / CWE-863 Incorrect Authorizationالمعلومات

عنوانnewpanjing simpleui 2026.01.13 at commit 85b887022217b4e46c9a34d227dbf38fef1e7a92 CWE-862 Missing Authorization / CWE-863 Incorrect Authorization
الوصفnewpanjing simpleui 2026.01.13 contains an authorization bypass in simpleui.admin.AjaxAdmin. The AjaxAdmin.get_urls() method registers the custom admin endpoints "ajax" and "layer" as raw view callables instead of wrapping them with Django admin's admin_site.admin_view(), so they do not receive the normal admin authentication, staff, permission, CSRF, and no-cache protections. The ajax callback accepts a request-controlled _action value, checks only that the ModelAdmin object has an attribute of that name, resolves the action with self.get_action(action), builds a queryset from POST data, and directly executes the action function. The UI layer filters visible action buttons with admin.get_actions(request) and per-permission checks, but callback() and get_layer() do not enforce the same filtered action list server-side. In a consuming Django application that registers a model admin class inheriting from AjaxAdmin and provides meaningful admin actions, an attacker who can reach the admin URL can POST to /admin/<app_label>/<model_name>/ajax with _action=<registered_action_name> and _selected=<pk list> to execute actions outside Django admin's normal authorization flow. Depending on the action, impact can include unauthorized data export, data modification, or destructive bulk operations. Remediation should wrap the custom routes in self.admin_site.admin_view(), reject actions not present in self.get_actions(request), and preserve Django admin CSRF and permission checks for both ajax and layer endpoints.
المصدر⚠️ https://github.com/newpanjing/simpleui/issues/537
المستخدم
 Galaxyn (UID 98388)
ارسال13/06/2026 01:01 PM (1 شهر منذ)
الاعتدال18/07/2026 10:32 AM (1 month later)
الحالةتمت الموافقة
إدخال VulDB380026 [newpanjing simpleui 2026.01.13 AjaxAdmin AJAX Endpoint simpleui/admin.py self.get_action توثيق ضعيف]
النقاط20

Interested in the pricing of exploits?

See the underground prices here!