| Titel | elunez eladmin latest broken function level authorisation |
|---|
| Beschreibung | Title: Broken Function Level Authorization (BFLA) in eladmin
POC:
Unauthorized Email Update:
A user can update another user's email address without proper authorization.
The updateUserEmail in UserController takes a User object from the request body, and it's possible to change the id or username field in the request to target another user. Although it gets the current user from the security context, it doesn't use it to ensure the user being updated is the same as the authenticated user. |
|---|
| Quelle | ⚠️ https://www.cnblogs.com/aibot/p/19063332 |
|---|
| Benutzer | Anonymous User |
|---|
| Einreichung | 29.08.2025 06:05 (vor 8 Monaten) |
|---|
| Moderieren | 05.09.2025 10:59 (7 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 322739 [elunez eladmin bis 2.7 Email Address /api/users/updateEmail/ updateUserEmail id/email erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|