| タイトル | mall 1.0.3 Improper Access Controls |
|---|
| 説明 | The POST /admin/update/{id} endpoint accepts a full UmsAdmin entity via@RequestBody, allowing any super administrator to overwrite another super administrator's password without knowing their current password — bypassing the purpose-built /admin/updatePassword endpoint that correctly requires old-password verification. This creates a lateral lockout attack vector: a single rogue super admin (or an attacker who compromises one super admin's JWT token) can silently change the passwords of all other super admins in a single pass, permanently locking them out of the system. The attack leaves no audit trail distinct from a routine profile update, and the same endpoint simultaneously leaks bcrypt password hashes through GET /admin/{id}, enabling offline credential cracking. While exploitation requires an existing super-admin credential, the impact is irreversible system-wide account takeover ,once all other super admins are locked out, the attacker gains exclusive privilegedaccess with no recovery path short of direct database manipulation. |
|---|
| ソース | ⚠️ https://github.com/macrozheng/mall/issues/970 |
|---|
| ユーザー | AliceS614 (UID 94277) |
|---|
| 送信 | 2026年05月03日 10:53 (1 月 ago) |
|---|
| モデレーション | 2026年05月29日 10:39 (26 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367156 [macrozheng mall 迄 1.0.3 Super Admin Password /admin/update/ 特権昇格] |
|---|
| ポイント | 20 |
|---|