| Título | mall 1.0.3 Improper Access Controls |
|---|
| Descrição | The POST /admin/update/{id} endpoint accepts a full UmsAdmin entity via@RequestBody, allowing any super administrator to overwrite another super administrator's password without knowing their current password — bypassing the purpose-built /admin/updatePassword endpoint that correctly requires old-password verification. This creates a lateral lockout attack vector: a single rogue super admin (or an attacker who compromises one super admin's JWT token) can silently change the passwords of all other super admins in a single pass, permanently locking them out of the system. The attack leaves no audit trail distinct from a routine profile update, and the same endpoint simultaneously leaks bcrypt password hashes through GET /admin/{id}, enabling offline credential cracking. While exploitation requires an existing super-admin credential, the impact is irreversible system-wide account takeover ,once all other super admins are locked out, the attacker gains exclusive privilegedaccess with no recovery path short of direct database manipulation. |
|---|
| Fonte | ⚠️ https://github.com/macrozheng/mall/issues/970 |
|---|
| Utilizador | AliceS614 (UID 94277) |
|---|
| Submissão | 03/05/2026 10h53 (há 1 mês) |
|---|
| Moderação | 29/05/2026 10h39 (26 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 367156 [macrozheng mall até 1.0.3 Super Admin Password /admin/update/ Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|