| タイトル | fuyang_lipengjun platform v1.0 broken function level authorization |
|---|
| 説明 | PoC (Proof of Concept):
Log in to the application with any user account, including those with low privileges.
Send a GET request to the endpoint http://host/attributecategory/queryAll.
The server returns a complete list of attribute category information. This data should typically be restricted to users with administrative privileges.
Effect: The queryAll method in the AttributeCategoryController class lacks any permission checks. This allows any authenticated user, regardless of their assigned roles or permissions, to access the list of all attribute category data, leading to unauthorized information disclosure. |
|---|
| ソース | ⚠️ https://www.cnblogs.com/aibot/p/19063429 |
|---|
| ユーザー | lucasg2g (UID 84737) |
|---|
| 送信 | 2025年09月12日 10:47 (8 月 ago) |
|---|
| モデレーション | 2025年09月18日 07:52 (6 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 324795 [fuyang_lipengjun platform 1.0 queryAll AttributeCategoryController 特権昇格] |
|---|
| ポイント | 20 |
|---|