| Titel | jeecgboot web 3.9.1 Improper Access Controls |
|---|
| Beschreibung | All 12 management endpoints of SysAnnouncementController (add, delete, modify, query / publish / withdraw / import/export) do not have any @RequiresPermissions/@RequiresRoles/@PermissionData annotations. The Shiro filter only performs JWT authentication but does not handle authorization. The Service layer does not perform data ownership verification. Any authenticated user (only requiring a valid JWT Token) can perform complete creation, editing, deletion, publishing, and withdrawing operations on the system-wide announcements, and can also operate announcements created by any user (horizontal privilege escalation). In contrast, SysUserController in the same project has 23 @RequiresPermissions annotations, and the permission protection of this controller is completely absent. |
|---|
| Quelle | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9508 |
|---|
| Benutzer | XinX (UID 96961) |
|---|
| Einreichung | 31.03.2026 15:51 (vor 23 Tagen) |
|---|
| Moderieren | 09.04.2026 15:03 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356553 [JeecgBoot bis 3.9.1 SysAnnouncementController erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|