y_project RuoYi Improper Authorization Vulnerability in Offline Logout Function

An improper authorization vulnerability has been identified in y_project RuoYi version 4.8.0. The issue arises in the Offline Logout component, specifically within the batchForceLogout function of the monitor/online directory. The vulnerability allows for unauthorized offline logout of users by manipulating the ids argument, and can be exploited remotely. The attack complexity is considered high, making exploitation difficult.

Impact

Exploitation of this vulnerability allows low-privileged users to log off high-privileged users, disrupting their session. Additionally, the vulnerability could be exploited to gain unauthorized access by logging in as an admin user, bypassing normal permission checks.

Reproduction

To reproduce this vulnerability, log in as a regular user and navigate to the offline logout function. Capture the request and replace the ids argument with the session ID of an admin user. After sending the modified request, refresh the online user page to see that the admin user has been logged off successfully.