Submit #619277: jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR (arbitrary password reset)info

Titeljishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR (arbitrary password reset)
Beschreibung A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to modify any account's password through the /jshERP-boot/user/updatePwd endpoint, just like a system administrator account, and can successfully change target account's password.
Quelle⚠️ https://github.com/jishenghua/jshERP/issues/123
Benutzer
 ZAST.AI (UID 87884)
Einreichung20.07.2025 12:03 (vor 11 Monaten)
Moderieren21.07.2025 09:50 (22 hours later)
StatusAkzeptiert
VulDB Eintrag317089 [jshERP bis 3.5 updatePwd erweiterte Rechte]
Punkte18

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!