jshERP <=3.5 IDOR(arbitrary account deletion)情報

タイトル	jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR(arbitrary account deletion)
説明	A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to the /jshERP-boot/user/deleteBatch endpoint to perform unauthorized batch operations, which should only be accessible by system administrator accounts. This allows attackers to target and affect multiple user accounts simultaneously.
ソース	⚠️ https://github.com/jishenghua/jshERP/issues/126
ユーザー	ez-lbz (UID 87033)
送信	2025年07月25日 16:37 (9 月 ago)
モデレーション	2025年08月10日 13:31 (16 days later)
ステータス	承諾済み
VulDBエントリ	319374 [jshERP 迄 3.5 Endpoint deleteBatch ids 特権昇格]
ポイント	19

Interested in the pricing of exploits?

See the underground prices here!