X-SpringBoot Role-Based Access Control Desynchronization Vulnerability

A privilege revocation failure vulnerability exists in X-SpringBoot version 6.0, stemming from an improper implementation of role-based access control (RBAC). The issue arises because the frontend menu updates, such as revoking privileges, do not synchronize in real-time with the backend permission tables. As a result, while users may lose access to certain functions through the web interface, the outdated permission records still allow unauthorized API requests via tools like Postman. Exploiting this vulnerability could enable attackers to perform privileged actions, such as creating high-permission user accounts, accessing sensitive data beyond their clearance level, and executing admin-level commands.

Impact

Exploitation of this vulnerability allows users to retain privileges that should have been revoked, enabling them to perform actions beyond their authorized scope. This could include accessing sensitive information, executing administrative tasks, or manipulating user accounts with elevated permissions.

Reproduction

To reproduce this vulnerability, first create a user with permissions to manage other users. Then, revoke that user's privileges through the admin interface. Despite the revocation, the user can still perform actions associated with the removed privileges, such as creating new user accounts, by directly accessing the API with their authentication token.

Remediation

To address this vulnerability, implement synchronous validation in the permission modification process. Ensure that updates to the frontend menu and backend permission tables occur atomically to prevent desynchronization issues.