JeecgBoot Improper Authorization Vulnerability in Message Template Sending

A vulnerability allowing improper authorization has been identified in JeecgBoot versions prior to 3.8.2. The issue arises in an unknown function of the file '/message/sysMessageTemplate/sendMsg', where the application fails to properly verify if a user has the necessary permissions to use specific message templates or send messages to targeted users. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows authenticated users to send any message template to any user within the system, bypassing authorization checks. This could be used for phishing, spamming, spreading misinformation, or social engineering attacks.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/message/sysMessageTemplate/sendMsg' endpoint. The request must include the ID of a message template and specify the target users. The application will send the message without verifying if the user has permission to use the template or send messages to the users specified.