| Titel | Dromara lamp-cloud 5.8.1 Broken object property level authorization |
|---|
| Beschreibung | ## Summary
A broken access control vulnerability exists in `lamp-cloud` at endpoint `POST /defUser/pageUser` (`DefUserController#pageUser`).
An authenticated low-privilege user can enumerate users outside their own organization/company scope.
This appears to be a row-level authorization/data-scope failure (BOLA/IDOR-style read exposure), not merely an endpoint authentication issue. |
|---|
| Quelle | ⚠️ https://github.com/dromara/lamp-cloud/issues/403 |
|---|
| Benutzer | Anonymous User |
|---|
| Einreichung | 18.03.2026 05:05 (vor 28 Tagen) |
|---|
| Moderieren | 04.04.2026 08:27 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 355282 [Dromara lamp-cloud bis 5.8.1 DefUserController /defUser/pageUser erweiterte Rechte] |
|---|
| Punkte | 19 |
|---|