| Título | elunez eladmin latest broken function level authorisation |
|---|
| Descrição | Title: Broken Function Level Authorization (BFLA) in eladmin
POC:
Unauthorized Email Update:
A user can update another user's email address without proper authorization.
The updateUserEmail in UserController takes a User object from the request body, and it's possible to change the id or username field in the request to target another user. Although it gets the current user from the security context, it doesn't use it to ensure the user being updated is the same as the authenticated user. |
|---|
| Fonte | ⚠️ https://www.cnblogs.com/aibot/p/19063332 |
|---|
| Utilizador | Anonymous User |
|---|
| Submissão | 29/08/2025 06h05 (há 8 meses) |
|---|
| Moderação | 05/09/2025 10h59 (7 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 322739 [elunez eladmin até 2.7 Email Address /api/users/updateEmail/ updateUserEmail id/email Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|