| Title | jeecgboot 3.9.0 bfla |
|---|
| Description |
**Overview**
This issue reports a **Critical Access Control** vulnerability within the `SysUserOnlineController` module of JeecgBoot. The system fails to enforce proper authorization checks on online user management interfaces, allowing any authenticated user to list all active sessions (including tokens) and forcibly terminate (log out) any user, including administrators. This flaw can be weaponized to cause a **Denial of Service (DoS)** condition.
**Vulnerability Details**
The reporter identifies logical defects in two endpoints that facilitate the attack:
1. **Information Disclosure (Sensitive Data Exposure)**
* **Endpoint**: `GET /sys/online/list`
* **Defect**: Lacks `@RequiresPermissions` or equivalent role checks.
* **Impact**: Any low-privileged user can retrieve a list of all online users, including their session **tokens**, usernames, and real names.
2. **Unauthorized Action (Broken Access Control)**
* **Endpoint**: `POST /sys/online/forceLogout`
* **Defect**: Does not verify if the requester has administrative privileges or if they are targeting their own session.
* **Impact**: An attacker can use the tokens obtained from the first vulnerability to invoke this endpoint and invalidate the sessions of other users.
**Exploit Scenario**
* **Step 1**: Attacker logs in as a normal user and queries `/sys/online/list` to harvest active tokens (e.g., Administrator's token).
* **Step 2**: Attacker sends a POST request to `/sys/online/forceLogout` with the victim's token.
* **Step 3**: The victim is immediately logged out. Scripting this process allows the attacker to persistently kick all users offline, rendering the system unusable (**DoS**).
**Conclusion**
This vulnerability represents a severe breach of **Session Management** and **Access Control** principles. The combination of sensitive token leakage and unauthorized session termination allows for trivial disruption of business operations. Remediation requires implementing strict **Role-Based Access Control (RBAC)** on both endpoints, ensuring only administrators can view online lists or force logouts. |
|---|
| Source | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9195 |
|---|
| User | Anonymous User |
|---|
| Submission | 12/15/2025 16:28 (6 months ago) |
|---|
| Moderation | 12/18/2025 19:25 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 337433 [JeecgBoot up to 3.9.0 SysUserOnlineController.java SysUserOnlineController user session] |
|---|
| Points | 19 |
|---|