Enviar #817918: JeecgBoot 3.9.1 Improper Access Controlsinformación

TítuloJeecgBoot 3.9.1 Improper Access Controls
DescripciónThe POST /sys/comment/add, POST /sys/comment/edit, and POST /sys/checkRule/add endpoints lack any @RequiresPermissions annotations and bind full entity objects from request bodies without overriding identity fields server-side. Any authenticated user—including those with only the default test role—can inject arbitrary fromUserId and toUserId values when posting or editing comments, making those comments appear to originate from any target user including the administrator; the same user can inject createBy when creating check rules, forging audit records to attribute actions to arbitrary identities.
Fuente⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9598
Usuario
 AliceS614 (UID 94277)
Sumisión2026-05-02 11:52 (hace 1 mes)
Moderación2026-05-26 14:50 (24 days later)
EstadoAceptado
Entrada de VulDB365637 [JeecgBoot hasta 3.9.1 /sys/comment/add escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!