Отправить #856716: zhinianboke xianyu-auto-reply main branch at or before commit 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-862 Missing AuthorizationИнформация

Названиеzhinianboke xianyu-auto-reply main branch at or before commit 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-862 Missing Authorization
ОписаниеAn unauthenticated authorization bypass exists in zhinianboke/xianyu-auto-reply at commit 04580d6490b4731d0055f29736930d8cc59b60d6. The backend-web user update endpoint PATCH /api/v1/users/{user_id} is exposed without an authentication dependency such as Depends(deps.get_current_active_user) and without an administrator authorization check. The route accepts a UserUpdate payload and directly passes it to the user update service. The UserUpdate schema includes sensitive fields including email, phone, status, and role. The UserService.update method then applies all supplied fields to the target user object using setattr with no field allowlist. As a result, any unauthenticated remote attacker who knows or can guess a user_id can modify that user. If the attacker supplies {"role":"ADMIN","status":"ACTIVE"}, the target account can be promoted to administrator or reactivated. Affected endpoint: PATCH /api/v1/users/{user_id} Affected code: backend-web/app/api/routes/users.py exposes PATCH /{user_id} without authentication. common/schemas/user.py allows role and status in UserUpdate. backend-web/app/services/user_service.py applies update fields directly with setattr. Proof of concept against a local test instance: curl -i -X PATCH "http://127.0.0.1:8089/api/v1/users/1" -H "Content-Type: application/json" -d '{"email":"[email protected]","role":"ADMIN","status":"ACTIVE"}' Expected behavior: The endpoint should require authentication and should allow only authorized administrators to update another user's role or status. Vulnerable behavior: The target user is updated without any access token. Impact: A remote unauthenticated attacker can modify arbitrary users and escalate privileges to administrator by setting the role field to ADMIN. This may lead to full compromise of application administration features and user data. Recommended remediation: Require authentication and administrator authorization on PATCH /api/v1/users/{user_id}. Split self-service user update and administrator user update schemas. Remove role and status from public user update paths. Enforce service-layer field allowlists so sensitive fields cannot be mass-assigned through non-admin endpoints.
Источник⚠️ https://github.com/zhinianboke/xianyu-auto-reply/issues/192
Пользователь
 Galaxyn (UID 98388)
Представление12.06.2026 05:54 (1 месяц назад)
Модерация14.07.2026 17:51 (1 month later)
Статуспринято
Запись VulDB378334 [zhinianboke xianyu-auto-reply до dcb445ad97816ad65299a7580ee0c8c8f929da84 Backend User Endpoint /api/v1/users/ эскалация привилегий]
Баллы20

Want to know what is going to be exploited?

We predict KEV entries!