| Title | 郑州卡卡罗特软件科技有限公司 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability |
|---|
| Description |
There is a flaw in the whitelist release logic for Swagger document paths (/v2/app docs) in PermissionServiceImpl. java. Attackers can deceive through URL endings (such as/target/app///; Bypass Gateway authentication and ultimately obtain all permissions for the web system. This vulnerability can tamper with any user's password, query any data credentials, and cause the system to crash, posing risks of full information leakage and data addition, deletion, modification, and querying. |
|---|
| Source | ⚠️ https://github.com/SourByte05/SourByte-Lab/issues/8 |
|---|
| User | sourbyte (UID 94279) |
|---|
| Submission | 01/27/2026 10:16 (3 months ago) |
|---|
| Moderation | 02/06/2026 22:06 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344776 [WuKongOpenSource WukongCRM up to 11.3.3 URL PermissionServiceImpl.java improper authorization] |
|---|
| Points | 20 |
|---|