| Título | elunez eladmin latest broken function level authorisation |
|---|
| Descripción | Title: Broken Function Level Authorization (BFLA) in eladmin
POC:
Unauthorized Email Update:
A user can update another user's email address without proper authorization.
The updateUserEmail in UserController takes a User object from the request body, and it's possible to change the id or username field in the request to target another user. Although it gets the current user from the security context, it doesn't use it to ensure the user being updated is the same as the authenticated user. |
|---|
| Fuente | ⚠️ https://www.cnblogs.com/aibot/p/19063332 |
|---|
| Usuario | Anonymous User |
|---|
| Sumisión | 2025-08-29 06:05 (hace 8 meses) |
|---|
| Moderación | 2025-09-05 10:59 (7 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 322739 [elunez eladmin hasta 2.7 Email Address /api/users/updateEmail/ updateUserEmail id/email escalada de privilegios] |
|---|
| Puntos | 20 |
|---|