Primary

Context

Xinguan Incorrect Access Control Vulnerability in User Management API

Vulnerability

A vulnerability allowing incorrect access control has been identified in Xinguan version 0.0.1-SNAPSHOT. This issue arises in the '/system/user/findUserList' API, where authentication requirements can be bypassed, allowing attackers to access sensitive information by sending a crafted payload.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information via the affected API.

Reproduction

To reproduce this vulnerability, send a GET request to the '/system/user/findUserList' API. The request must include a valid 'JSESSIONID' cookie to pass the initial authentication check. This request will be denied due to authentication requirements. However, by sending a request to '/static;/../system/user/findUserList', the authentication can be bypassed, granting access to the sensitive user information.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xinguan Incorrect Access Control Vulnerability in User Management API

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating