| Название | fuyang_lipengjun platform v1.0 broken function level authorization |
|---|
| Описание | PoC (Proof of Concept):
Log in to the application with any user account, including those with low privileges.
Send a GET request to the endpoint http://host/attribute/queryAll.
The server returns a complete list of attribute information. This data should typically be restricted to users with administrative privileges.
Effect: The queryAll method in the AttributeController class lacks any permission checks. This allows any authenticated user, regardless of their assigned roles or permissions, to access the list of all attribute data, leading to unauthorized information disclosure. |
|---|
| Источник | ⚠️ https://www.cnblogs.com/aibot/p/19063430 |
|---|
| Пользователь | lucasg2g (UID 84737) |
|---|
| Представление | 12.09.2025 10:48 (8 месяцы назад) |
|---|
| Модерация | 18.09.2025 07:52 (6 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 324796 [fuyang_lipengjun platform 1.0 /attribute/queryAll AttributeController эскалация привилегий] |
|---|
| Баллы | 20 |
|---|