Article 2: Vulnerability 1 – Unauthenticated Code Generation Endpoint
Article 2: Vulnerability 1 – Unauthenticated Code Generation Endpoint
Title: Unauthenticated Code Generation Interface Allows Arbitrary Table manupulation
Details:
File: novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java
Endpoint: POST /genCode
Issue: No authentication or authorization checks. Attackers can trigger generatorService.generatorCode() with any table name.
Example Request:
curl -X POST "http://target-ip:port/genCode" -d "tableName=user"
Impact: Attackers can remotely trigger backend code generation, potentially overwriting files or causing code injection.
CWE: CWE-306
浙公网安备 33010602011771号