assigning cve request jeecgboot#2 消息功能滥用

product: jeecgboot

url: https://github.com/jeecgboot/JeecgBoot

stars: 43.7k

 

 

English Report

 

Product: JeecgBoot

URL: /message/sysMessageTemplate/sendMsg

Title: Broken Function Level Authorization in Message Template Sending

Proof of Concept (POC):

  1. A low-privileged user authenticates to the application.

  2. The attacker identifies the ID of a sensitive or official-looking message template (e.g., a password reset notification, a system alert) by observing traffic or making educated guesses.

  3. The attacker crafts a POST request to the /message/sysMessageTemplate/sendMsg endpoint, providing the ID of the chosen message template and specifying target users in the request body.

    JSON
     
    POST /message/sysMessageTemplate/sendMsg
Content-Type: application/json
Cookie: [Authenticated User Session]

{
  "id": "TEMPLATE_ID",
  "templateContent": "This is a malicious message.",
  "templateType": "1",
  "templateSendType": "1",
  "userIds": "admin,user1,user2"
}

  4. The application sends the message to the specified users using the selected template, without verifying if the authenticated user has the necessary permissions to use that specific template or send messages to the targeted users.

Effect:

This vulnerability allows any authenticated user to send any message template to any user in the system. An attacker could exploit this to:

  • Phishing: Send official-looking notifications (e.g., "Your account has been locked, click here to unlock") with malicious links to steal credentials.

  • Spamming/Harassment: Annoy or harass users by sending them a high volume of messages.

  • Misinformation: Disseminate false information within the organization by impersonating system notifications or official announcements.

  • Social Engineering: Craft messages that trick users into performing actions that compromise security.

Finder: aibot88 @secsys from Fudan university

 

中文报告

 

产品名称: JeecgBoot

漏洞URL: /message/sysMessageTemplate/sendMsg

漏洞标题: 消息模板发送功能存在失效的函数级授权漏洞

漏洞验证过程(POC):

  1. 一个低权限用户通过身份验证登录到应用程序。

  2. 攻击者通过观察网络流量或进行猜测,识别出一个敏感或看似官方的消息模板ID(例如,密码重置通知、系统警报等)。

  3. 攻击者构造一个POST请求到 /message/sysMessageTemplate/sendMsg 端点,在请求体中提供所选消息模板的ID,并指定目标用户。

    JSON
     
    POST /message/sysMessageTemplate/sendMsg
Content-Type: application/json
Cookie: [已认证用户的会话]

{
  "id": "模板ID",
  "templateContent": "这是一条恶意消息。",
  "templateType": "1",
  "templateSendType": "1",
  "userIds": "admin,user1,user2"
}

  4. 应用程序使用选定的模板向指定的用户发送消息,而没有验证经过身份验证的用户是否具有使用该特定模板或向目标用户发送消息的必要权限。

影响:

此漏洞允许任何经过身份验证的用户将系统内的任意消息模板发送给任意用户。攻击者可以利用此漏洞进行:

  • 网络钓鱼: 发送看似官方的通知(例如,“您的帐户已被锁定,请单击此处解锁”),其中包含恶意链接以窃取凭据。

  • 垃圾邮件/骚扰: 通过向用户发送大量消息来骚扰或烦扰用户。

  • 散布虚假信息: 通过冒充系统通知或官方公告,在组织内传播虚假信息。

  • 社会工程学: 制作诱使用户执行危及安全操作的消息。

发现者: aibot88 @secsys from Fudan university

posted @ 2025-08-28 19:40  Aibot  阅读(357)  评论(0)    收藏  举报