Submit #643392: elunez eladmin latest broken function level authorizationinfo

Title	elunez eladmin latest broken function level authorization
Description	Arbitrary File Deletion: A low-privileged user with storage:del permission can delete files belonging to other users. The deleteFile method in LocalStorageController only checks for the storage:del permission but does not verify if the user is the owner of the file being deleted. Request: DELETE /api/localStorage HTTP/1.1 Host: <host>
Source	⚠️ https://www.cnblogs.com/aibot/p/19063329
User	Anonymous User
Submission	08/28/2025 17:37 (8 months ago)
Moderation	09/03/2025 13:40 (6 days later)
Status	Accepted
VulDB entry	322339 [elunez eladmin 1.1 LocalStorageController deleteFile improper authorization]
Points	19

Interested in the pricing of exploits?

See the underground prices here!