| タイトル | fuyang_lipengjun platform 1.0 broken function level authorization |
|---|
| 説明 | Product: platform
URL: http://host/adposition/queryAll
Title: Broken Function Level Authorization in AdPositionController's queryAll Method
PoC (Proof of Concept):
Log in to the application with any user account, including those with low privileges.
Send a GET request to the endpoint http://host/adposition/queryAll.
The server returns a complete list of ad position information. This data should typically be restricted to users with administrative privileges.
Effect: The queryAll method in the AdPositionController class lacks any permission checks. This allows any authenticated user, regardless of their assigned roles or permissions, to access the list of all ad position data, leading to unauthorized information disclosure. |
|---|
| ソース | ⚠️ https://www.cnblogs.com/aibot/p/19063427 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2025年08月30日 16:26 (10 月 ago) |
|---|
| モデレーション | 2025年09月07日 20:43 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 323042 [fuyang_lipengjun platform 1.0.0 AdPositionController /adposition/queryAll 特権昇格] |
|---|
| ポイント | 20 |
|---|