jshERP <=3.5 IDOR(arbitrary account deletion)información

Título	jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR(arbitrary account deletion)
Descripción	A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to the /jshERP-boot/user/deleteBatch endpoint to perform unauthorized batch operations, which should only be accessible by system administrator accounts. This allows attackers to target and affect multiple user accounts simultaneously.
Fuente	⚠️ https://github.com/jishenghua/jshERP/issues/126
Usuario	ez-lbz (UID 87033)
Sumisión	2025-07-25 16:37 (hace 9 meses)
Moderación	2025-08-10 13:31 (16 days later)
Estado	Aceptado
Entrada de VulDB	319374 [jshERP hasta 3.5 Endpoint deleteBatch ids escalada de privilegios]
Puntos	19

Do you want to use VulDB in your project?

Use the official API to access entries easily!