| 标题 | Dromara lamp-cloud 5.8.1 Broken object property level authorization |
|---|
| 描述 | ## Summary
A broken access control vulnerability exists in `lamp-cloud` at endpoint `POST /defUser/pageUser` (`DefUserController#pageUser`).
An authenticated low-privilege user can enumerate users outside their own organization/company scope.
This appears to be a row-level authorization/data-scope failure (BOLA/IDOR-style read exposure), not merely an endpoint authentication issue. |
|---|
| 来源 | ⚠️ https://github.com/dromara/lamp-cloud/issues/403 |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2026-03-18 05時05分 (19 日前) |
|---|
| 管理 | 2026-04-04 08時27分 (17 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 355282 [Dromara lamp-cloud 直到 5.8.1 DefUserController /defUser/pageUser 权限提升] |
|---|
| 积分 | 19 |
|---|