| Title | jeecgboot web 3.9.1 Improper Access Controls |
|---|
| Description | All 12 management endpoints of SysAnnouncementController (add, delete, modify, query / publish / withdraw / import/export) do not have any @RequiresPermissions/@RequiresRoles/@PermissionData annotations. The Shiro filter only performs JWT authentication but does not handle authorization. The Service layer does not perform data ownership verification. Any authenticated user (only requiring a valid JWT Token) can perform complete creation, editing, deletion, publishing, and withdrawing operations on the system-wide announcements, and can also operate announcements created by any user (horizontal privilege escalation). In contrast, SysUserController in the same project has 23 @RequiresPermissions annotations, and the permission protection of this controller is completely absent. |
|---|
| Source | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9508 |
|---|
| User | XinX (UID 96961) |
|---|
| Submission | 03/31/2026 15:51 (10 days ago) |
|---|
| Moderation | 04/09/2026 15:03 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356553 [JeecgBoot up to 3.9.1 SysAnnouncementController improper authorization] |
|---|
| Points | 20 |
|---|