| Название | jeecgboot web 3.9.1 Improper Access Controls |
|---|
| Описание | All 12 management endpoints of SysAnnouncementController (add, delete, modify, query / publish / withdraw / import/export) do not have any @RequiresPermissions/@RequiresRoles/@PermissionData annotations. The Shiro filter only performs JWT authentication but does not handle authorization. The Service layer does not perform data ownership verification. Any authenticated user (only requiring a valid JWT Token) can perform complete creation, editing, deletion, publishing, and withdrawing operations on the system-wide announcements, and can also operate announcements created by any user (horizontal privilege escalation). In contrast, SysUserController in the same project has 23 @RequiresPermissions annotations, and the permission protection of this controller is completely absent. |
|---|
| Источник | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9508 |
|---|
| Пользователь | XinX (UID 96961) |
|---|
| Представление | 31.03.2026 15:51 (25 дни назад) |
|---|
| Модерация | 09.04.2026 15:03 (9 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 356553 [JeecgBoot до 3.9.1 SysAnnouncementController эскалация привилегий] |
|---|
| Баллы | 20 |
|---|