| Title | Dromara lamp-cloud 5.8.1 Broken object property level authorization |
|---|
| Description | ## Summary
A broken access control vulnerability exists in `lamp-cloud` at endpoint `POST /defUser/pageUser` (`DefUserController#pageUser`).
An authenticated low-privilege user can enumerate users outside their own organization/company scope.
This appears to be a row-level authorization/data-scope failure (BOLA/IDOR-style read exposure), not merely an endpoint authentication issue. |
|---|
| Source | ⚠️ https://github.com/dromara/lamp-cloud/issues/403 |
|---|
| User | Anonymous User |
|---|
| Submission | 03/18/2026 05:05 (19 days ago) |
|---|
| Moderation | 04/04/2026 08:27 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355282 [Dromara lamp-cloud up to 5.8.1 DefUserController /defUser/pageUser improper authorization] |
|---|
| Points | 19 |
|---|