| Título | newpanjing simpleui 2026.01.13 at commit 85b887022217b4e46c9a34d227dbf38fef1e7a92 CWE-862 Missing Authorization / CWE-863 Incorrect Authorization |
|---|
| Descrição | newpanjing simpleui 2026.01.13 contains an authorization bypass in simpleui.admin.AjaxAdmin. The AjaxAdmin.get_urls() method registers the custom admin endpoints "ajax" and "layer" as raw view callables instead of wrapping them with Django admin's admin_site.admin_view(), so they do not receive the normal admin authentication, staff, permission, CSRF, and no-cache protections. The ajax callback accepts a request-controlled _action value, checks only that the ModelAdmin object has an attribute of that name, resolves the action with self.get_action(action), builds a queryset from POST data, and directly executes the action function. The UI layer filters visible action buttons with admin.get_actions(request) and per-permission checks, but callback() and get_layer() do not enforce the same filtered action list server-side. In a consuming Django application that registers a model admin class inheriting from AjaxAdmin and provides meaningful admin actions, an attacker who can reach the admin URL can POST to /admin/<app_label>/<model_name>/ajax with _action=<registered_action_name> and _selected=<pk list> to execute actions outside Django admin's normal authorization flow. Depending on the action, impact can include unauthorized data export, data modification, or destructive bulk operations. Remediation should wrap the custom routes in self.admin_site.admin_view(), reject actions not present in self.get_actions(request), and preserve Django admin CSRF and permission checks for both ajax and layer endpoints. |
|---|
| Fonte | ⚠️ https://github.com/newpanjing/simpleui/issues/537 |
|---|
| Utilizador | Galaxyn (UID 98388) |
|---|
| Submissão | 13/06/2026 13h01 (há 1 mês) |
|---|
| Moderação | 18/07/2026 10h32 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 380026 [newpanjing simpleui 2026.01.13 AjaxAdmin AJAX Endpoint simpleui/admin.py self.get_action Autenticação fraca] |
|---|
| Pontos | 20 |
|---|