| 标题 | mall 1.0.3 Improper Access Controls |
|---|
| 描述 | The POST /admin/update/{id} endpoint accepts a full UmsAdmin entity via@RequestBody, allowing any super administrator to overwrite another super administrator's password without knowing their current password — bypassing the purpose-built /admin/updatePassword endpoint that correctly requires old-password verification. This creates a lateral lockout attack vector: a single rogue super admin (or an attacker who compromises one super admin's JWT token) can silently change the passwords of all other super admins in a single pass, permanently locking them out of the system. The attack leaves no audit trail distinct from a routine profile update, and the same endpoint simultaneously leaks bcrypt password hashes through GET /admin/{id}, enabling offline credential cracking. While exploitation requires an existing super-admin credential, the impact is irreversible system-wide account takeover ,once all other super admins are locked out, the attacker gains exclusive privilegedaccess with no recovery path short of direct database manipulation. |
|---|
| 来源 | ⚠️ https://github.com/macrozheng/mall/issues/970 |
|---|
| 用户 | AliceS614 (UID 94277) |
|---|
| 提交 | 2026-05-03 10時53分 (1 月前) |
|---|
| 管理 | 2026-05-29 10時39分 (26 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 367156 [macrozheng mall 直到 1.0.3 Super Admin Password /admin/update/ 权限提升] |
|---|
| 积分 | 20 |
|---|