| 标题 | yangzongzhuan RuoYi latest broken function level authorisation |
|---|
| 描述 | Title: Broken Function Level Authorization in Batch Role Cancellation
Proof of Concept (PoC):
Log in to the system with any authenticated user.
Obtain a valid Cookie by capturing any request.
Construct and send a POST request to /system/role/authUser/cancelAll with the following parameters:
roleId: The ID of the role to be revoked (e.g., the administrator role ID).
userIds: The ID(s) of the user(s) from whom the role will be revoked.
The specified role will be removed from the target user(s). |
|---|
| 来源 | ⚠️ https://www.cnblogs.com/aibot/p/19063509 |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2025-08-29 05時59分 (8 月前) |
|---|
| 管理 | 2025-09-12 23時27分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 323819 [yangzongzhuan RuoYi 直到 4.8.1 Role cancelAll roleId/userIds 权限提升] |
|---|
| 积分 | 20 |
|---|