Blog Vue Spring Boot Unauthorized Article Modification Vulnerability

A vulnerability allowing unauthorized modification of articles exists in Blog Vue Spring Boot version 0.0.1. The issue arises in the '/articles/publish' API, where the backend fails to verify ownership, allowing users to edit any article without logging in.

Impact

Exploitation of this vulnerability allows for unauthorized users to modify articles, potentially leading to privilege escalation by overwriting content with misleading or harmful information.

Reproduction

To reproduce this vulnerability, first publish an article as User A and note the article ID. Then, log in as User B and create a new article, capturing the edit request. Modify the 'id' field in the request to target User A's article by using the previously recorded ID. Send the request, and the backend will process it without ownership verification, allowing User B to overwrite User A's article.