cve request platform#11 coupon-goods relationship information.

Product：platform v1.0 

url：https://gitee.com/fuyang_lipengjun/platform

star: 27.5

 

Vulnerability Report

• Product: platform

• URL: http://host/coupongoods/queryAll

• Title: Broken Function Level Authorization in CouponGoodsController's queryAll Method

• PoC (Proof of Concept):

  1. Log in to the application with any user account, including those with low privileges.

  2. Send a GET request to the endpoint http://host/coupongoods/queryAll.

  3. The server returns a complete list of coupon-goods relationship information. This data should typically be restricted to users with administrative privileges.

• Effect: The queryAll method in the CouponGoodsController class lacks any permission checks. This allows any authenticated user, regardless of their assigned roles or permissions, to access the list of all coupon-goods relationship data, leading to unauthorized information disclosure.

• Finder: aibot88 @secsys from Fudan university

---

漏洞申请报告

• 产品: platform

• URL: http://host/coupongoods/queryAll

• 标题: CouponGoodsController的queryAll方法中存在broken function level authorization (BFLA)

• PoC (Proof of Concept):

  1. 使用任意权限的用户（包括低权限用户）登录系统。

  2. 向URL http://host/coupongoods/queryAll 发送GET请求。

  3. 服务器返回了所有优惠券商品关联信息的列表。这些数据通常只应由管理员访问。

• 影响: CouponGoodsController 类中的 queryAll 方法没有进行任何权限验证。这允许任何已认证的用户，无论其角色或权限如何，都能够获取所有优惠券商品关联数据的列表，导致未经授权的信息泄露。

• 发现者: aibot88 @secsys from Fudan university