| शीर्षक | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| विवरण | There is a privilege escalation in JeecgBoot v3.9.1's POST/sys/user/login/setting/userEdit endpoint, rated CRITICAL due to its combination of a misassigned permission and complete lack of field-level filtering. The userIdentity field in the SysUser entity controls department data visibility—a value of 1 means a regular member who cannot see department member lists, while 2 designates a department supervisor who can query all users in their managed departments via departUserList. This field should only be modified through the internal changeDepartChargePerson workflow, but the userEdit endpoint binds the full SysUserentity via @RequestBody, performs only a username-level ownership check (if(!username.equals(user.getUsername()))),and then blindly calls sysUserService.updateById(sysUser) on the request body object rather than the database-loaded entity. The endpoint is protected by @RequiresPermissions("system:user:setting:edit"), but critically this permission is assigned to the test role—the default role granted to every registered user in the seed SQL. |
|---|
| स्रोत | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9596 |
|---|
| उपयोगकर्ता | AliceS614 (UID 94277) |
|---|
| सबमिशन | 02/05/2026 11:17 AM (1 महीना पहले) |
|---|
| संयम | 26/05/2026 02:50 PM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 365635 [JeecgBoot तक 3.9.1 SysUser userEdit user.getUsername userIdentity अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|