提出 #857945: geex-arts django-jet 0cc1e636109f680de6759ac30c0b14ef980883bc CWE-639 Authorization Bypass Through User-Controlled Key情報

タイトルgeex-arts django-jet 0cc1e636109f680de6759ac30c0b14ef980883bc CWE-639 Authorization Bypass Through User-Controlled Key
説明geex-arts/django-jet checks only that the requester is a staff user before resolving dashboard modules by primary key in the dashboard module update view. The object lookup is not scoped to request.user, so one staff user can read or modify another staff user's dashboard module by changing the module id. For Google Analytics or Yandex Metrika modules, module forms may include credential-related stored values.
ソース⚠️ https://github.com/geex-arts/django-jet/issues/528
ユーザー
 GalaxynX (UID 98977)
送信2026年06月13日 13:52 (1 月 ago)
モデレーション2026年07月18日 11:51 (1 month later)
ステータス承諾済み
VulDBエントリ380037 [geex-arts django-jet 迄 1.0.8 Dashboard jet/dashboard/views.py 特権昇格]
ポイント19

Want to know what is going to be exploited?

We predict KEV entries!