| Название | mall 1.0.3 Improper Access Controls |
|---|
| Описание | The POST /admin/update/{id} endpoint accepts a full UmsAdmin entity via@RequestBody, allowing any super administrator to overwrite another super administrator's password without knowing their current password — bypassing the purpose-built /admin/updatePassword endpoint that correctly requires old-password verification. This creates a lateral lockout attack vector: a single rogue super admin (or an attacker who compromises one super admin's JWT token) can silently change the passwords of all other super admins in a single pass, permanently locking them out of the system. The attack leaves no audit trail distinct from a routine profile update, and the same endpoint simultaneously leaks bcrypt password hashes through GET /admin/{id}, enabling offline credential cracking. While exploitation requires an existing super-admin credential, the impact is irreversible system-wide account takeover ,once all other super admins are locked out, the attacker gains exclusive privilegedaccess with no recovery path short of direct database manipulation. |
|---|
| Источник | ⚠️ https://github.com/macrozheng/mall/issues/970 |
|---|
| Пользователь | AliceS614 (UID 94277) |
|---|
| Представление | 03.05.2026 10:53 (1 месяц назад) |
|---|
| Модерация | 29.05.2026 10:39 (26 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367156 [macrozheng mall до 1.0.3 Super Admin Password /admin/update/ эскалация привилегий] |
|---|
| Баллы | 20 |
|---|