You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The API getUserDetail() is not protected by the @PreAuthorize annotation, which means that a regular user can access other users' information by requesting /api/v1/users/{userId}/form, just as admin users can. This could lead to a breach of user privacy data.
We highly recommend that developers add the @PreAuthorize annotation for getUserDetail() to ensure that only admin users can access this API and prevent unauthorized access to sensitive user information.
The text was updated successfully, but these errors were encountered:
Recently, our team found an arbitrary user info access vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/youlaitech/youlai-mall/blob/master/youlai-system/system-boot/src/main/java/com/youlai/system/controller/SysUserController.java#L59.
The API
getUserDetail()
is not protected by the@PreAuthorize
annotation, which means that a regular user can access other users' information by requesting/api/v1/users/{userId}/form
, just as admin users can. This could lead to a breach of user privacy data.We highly recommend that developers add the
@PreAuthorize
annotation forgetUserDetail()
to ensure that only admin users can access this API and prevent unauthorized access to sensitive user information.The text was updated successfully, but these errors were encountered: