提交 #857945: geex-arts django-jet 0cc1e636109f680de6759ac30c0b14ef980883bc CWE-639 Authorization Bypass Through User-Controlled Key信息

标题geex-arts django-jet 0cc1e636109f680de6759ac30c0b14ef980883bc CWE-639 Authorization Bypass Through User-Controlled Key
描述geex-arts/django-jet checks only that the requester is a staff user before resolving dashboard modules by primary key in the dashboard module update view. The object lookup is not scoped to request.user, so one staff user can read or modify another staff user's dashboard module by changing the module id. For Google Analytics or Yandex Metrika modules, module forms may include credential-related stored values.
来源⚠️ https://github.com/geex-arts/django-jet/issues/528
用户
 GalaxynX (UID 98977)
提交2026-06-13 13時52分 (1 月前)
管理2026-07-18 11時51分 (1 month later)
状态已接受
VulDB条目380037 [geex-arts django-jet 直到 1.0.8 Dashboard jet/dashboard/views.py 权限提升]
积分19

Do you want to use VulDB in your project?

Use the official API to access entries easily!