| Title | jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR(arbitrary admin count add) |
|---|
| Description | A high-risk IDOR vulnerability has been discovered in the latest version (v3.5). After logging in with a low-privilege role account, users can send requests to the /jshERP-boot/user/addUser endpoint to create new accounts, including high-privilege accounts and accounts with custom permissions assigned to other groups. This functionality should only be accessible to system administrators, but due to insufficient access control, it is exposed to unauthorized users. |
|---|
| Source | ⚠️ https://github.com/jishenghua/jshERP/issues/125 |
|---|
| User | ez-lbz (UID 87033) |
|---|
| Submission | 07/25/2025 16:32 (9 months ago) |
|---|
| Moderation | 08/10/2025 13:31 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319373 [jshERP up to 3.5 Endpoint addUser improper authorization] |
|---|
| Points | 20 |
|---|