JeecgBoot Improper Authorization Vulnerability in Filter Handler Component

A vulnerability allowing improper authorization has been identified in JeecgBoot versions through 3.8.2. The issue resides in an unknown function of the file '/sys/user/exportXls' within the Filter Handler component. This vulnerability can be exploited remotely, allowing authenticated users to access unauthorized functionalities or data.

Impact

Exploitation of this vulnerability enables authenticated users to download personal information of all users in the system, including usernames, real names, email addresses, phone numbers, and other details. This data leakage could lead to significant privacy breaches, facilitate phishing and social engineering attacks, allow for spam campaigns using collected contact information, and enable credential stuffing attacks using exported usernames.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a GET request to the '/sys/user/exportXls' endpoint. The request can be made without any filter parameters, which will result in an export of all users' data. Alternatively, specific filter parameters can be added to limit the export to certain users.