jshERP <=3.5 IDOR(arbitrary account deletion)Информация

Название	jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR(arbitrary account deletion)
Описание	A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to the /jshERP-boot/user/deleteBatch endpoint to perform unauthorized batch operations, which should only be accessible by system administrator accounts. This allows attackers to target and affect multiple user accounts simultaneously.
Источник	⚠️ https://github.com/jishenghua/jshERP/issues/126
Пользователь	ez-lbz (UID 87033)
Представление	25.07.2025 16:37 (9 месяцы назад)
Модерация	10.08.2025 13:31 (16 days later)
Статус	принято
Запись VulDB	319374 [jshERP до 3.5 Endpoint deleteBatch ids эскалация привилегий]
Баллы	19

Do you need the next level of professionalism?

Upgrade your account now!