| 标题 | fuyang_lipengjun platform v1.0 broken function level authorization |
|---|
| 描述 | PoC (Proof of Concept):
Log in to the application with any user account, including those with low privileges.
Send a GET request to the endpoint http://host/brand/queryAll.
The server returns a complete list of brand information. This data should typically be restricted to users with administrative privileges.
Effect: The queryAll method in the BrandController class lacks any permission checks. This allows any authenticated user, regardless of their assigned roles or permissions, to access the list of all brand data, leading to unauthorized information disclosure. |
|---|
| 来源 | ⚠️ https://www.cnblogs.com/aibot/p/19063431 |
|---|
| 用户 | lucasg2g (UID 84737) |
|---|
| 提交 | 2025-09-12 10時51分 (8 月前) |
|---|
| 管理 | 2025-09-18 07時52分 (6 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 324797 [fuyang_lipengjun platform 1.0 /brand/queryAll BrandController 权限提升] |
|---|
| 积分 | 20 |
|---|