cve request jeecgboot#4 获取所有部门信息功能

product: jeecgboot

url: https://github.com/jeecgboot/JeecgBoot

stars: 43.7k

 

 

English Report

 

Product: JeecgBoot

URL: /api/queryAllDepartBack

Title: Broken Function Level Authorization in Retrieving All Department Information

Proof of Concept (POC):

  1. A low-privileged user logs into the JeecgBoot application.

  2. The attacker makes a GET request to the /api/queryAllDepartBack endpoint.

    Example Request:

    GET /api/queryAllDepartBack
Cookie: [Authenticated User Session]

  3. The application responds with a list of all departments in the system, including their full details (ID, name, parent ID, etc.), without checking if the requesting user has the necessary permissions to view this information.

Effect:

This vulnerability allows any authenticated user to obtain a complete list of all departments within the organization. An attacker can exploit this to:

  • Information Gathering: Gain a comprehensive understanding of the entire organizational structure, which is valuable for planning targeted attacks like phishing or social engineering.

  • Identify Sensitive Departments: Easily locate high-value departments such as "Human Resources," "Finance," "IT," or "Executive Management," which can be targeted for further attacks.

  • Facilitate Other Attacks: The obtained department IDs can be used in conjunction with other vulnerabilities (like the one in /api/getDepartUserList) to enumerate users within specific sensitive departments.

Finder: aibot88 @secsys from Fudan university

 

中文报告

 

产品名称: JeecgBoot

漏洞URL: /api/queryAllDepartBack

漏洞标题: 获取所有部门信息功能存在失效的函数级授权漏洞

漏洞验证过程(POC):

  1. 一个低权限用户登录到JeecgBoot应用程序。

  2. 攻击者向 /api/queryAllDepartBack 端点发送一个GET请求。

    请求示例:

    GET /api/queryAllDepartBack
Cookie: [已认证用户的会话]

  3. 应用程序返回系统中所有部门的列表,包含其完整详细信息(ID、名称、父级ID等),而没有检查请求用户是否具备查看此信息的权限。

影响:

此漏洞允许任何经过身份验证的用户获取组织内所有部门的完整列表。攻击者可以利用此漏洞进行:

  • 信息收集: 全面了解整个组织架构,这对于策划钓鱼或社会工程学等针对性攻击非常有价值。

  • 识别敏感部门: 轻松定位“人力资源”、“财务”、“IT”或“高层管理”等高价值部门,以便进行进一步的攻击。

  • 辅助其他攻击: 获取到的部门ID可以与其他漏洞(例如/api/getDepartUserList中的漏洞)结合使用,以枚举特定敏感部门内的所有用户。

发现者: aibot88 @secsys from Fudan university

posted @ 2025-08-28 19:42  Aibot  阅读(17)  评论(0)    收藏  举报