| Titre | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| Description | The PUT /sys/selectDepart endpoint binds a full SysUser entity from the request body and directly persists the client-supplied orgCode and loginTenantId to the database without any server-side validation—no permission annotation,no department membership check, no tenant ownership verification. Any authenticated user, including those with only the default test role, can set these fields to arbitrary values, effectively switching their session context to any department or tenant in the system. When chained with the userEdit self-escalation, an attacker who switches into a target department's context and elevates their userIdentity to 2 with departIds pointed at that department can then query its complete member list via departUserList, gaining visibility into organizational data they have nolegitimate access to. The impact is that the department and tenant boundaries—JeecgBoot's primary data isolation mechanism—can be crossed at will by any logged-in user in two requests, with no administrative privileges required. |
|---|
| La source | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9597 |
|---|
| Utilisateur | AliceS614 (UID 94277) |
|---|
| Soumission | 02/05/2026 11:40 (il y a 1 mois) |
|---|
| Modérer | 26/05/2026 14:50 (24 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 365636 [JeecgBoot jusqu’à 3.9.1 /sys/selectDepart LoginController.selectDepart élévation de privilèges] |
|---|
| Points | 20 |
|---|