| 제목 | elunez eladmin latest broken function level authorisation |
|---|
| 설명 | Title: Broken Function Level Authorization (BFLA) in eladmin
POC:
Unauthorized Email Update:
A user can update another user's email address without proper authorization.
The updateUserEmail in UserController takes a User object from the request body, and it's possible to change the id or username field in the request to target another user. Although it gets the current user from the security context, it doesn't use it to ensure the user being updated is the same as the authenticated user. |
|---|
| 원천 | ⚠️ https://www.cnblogs.com/aibot/p/19063332 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 08. 29. AM 06:05 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 05. AM 10:59 (7 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 322739 [elunez eladmin 까지 2.7 Email Address /api/users/updateEmail/ updateUserEmail id/email 권한 상승] |
|---|
| 포인트들 | 20 |
|---|