| タイトル | elunez eladmin latest broken function level authorisation |
|---|
| 説明 | Title: Broken Function Level Authorization (BFLA) in eladmin
POC:
Unauthorized Email Update:
A user can update another user's email address without proper authorization.
The updateUserEmail in UserController takes a User object from the request body, and it's possible to change the id or username field in the request to target another user. Although it gets the current user from the security context, it doesn't use it to ensure the user being updated is the same as the authenticated user. |
|---|
| ソース | ⚠️ https://www.cnblogs.com/aibot/p/19063332 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2025年08月29日 06:05 (8 月 ago) |
|---|
| モデレーション | 2025年09月05日 10:59 (7 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 322739 [elunez eladmin 迄 2.7 Email Address /api/users/updateEmail/ updateUserEmail id/email 特権昇格] |
|---|
| ポイント | 20 |
|---|