jshERP Access Control Vulnerability in Supplier Status Modification
Vulnerability
An access control vulnerability has been identified in jshERP version 3.5, specifically within the SupplierController component. This flaw allows unauthorized attackers to arbitrarily change the status of suppliers across any account. The issue arises from improper access control, enabling horizontal privilege escalation by modifying supplier statuses without authorization.
Impact
Exploitation of this vulnerability allows for unauthorized modification of supplier statuses under any account, bypassing established access controls.
Reproduction
To reproduce this vulnerability, log into a jshERP account and navigate to the supplier information section. Select any supplier and click 'Disable'. Use Burp Suite to intercept the request. Modify the request path to '/jshERP-boot/user/login/../../supplier/batchSetStatus', remove the 'X-Access-Token' header, and change the status value in the JSON parameter to 'true' or 'false'. The 'id' value should correspond to the selected supplier's ID.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.