| タイトル | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| 説明 | The POST /sys/comment/add, POST /sys/comment/edit, and POST /sys/checkRule/add endpoints lack any @RequiresPermissions annotations and bind full entity objects from request bodies without overriding identity fields server-side. Any authenticated user—including those with only the default test role—can inject arbitrary fromUserId and toUserId values when posting or editing comments, making those comments appear to originate from any target user including the administrator; the same user can inject createBy when creating check rules, forging audit records to attribute actions to arbitrary identities. |
|---|
| ソース | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9598 |
|---|
| ユーザー | AliceS614 (UID 94277) |
|---|
| 送信 | 2026年05月02日 11:52 (1 月 ago) |
|---|
| モデレーション | 2026年05月26日 14:50 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 365637 [JeecgBoot 迄 3.9.1 /sys/comment/add 特権昇格] |
|---|
| ポイント | 20 |
|---|