jshERP Access Control Vulnerability Leading to Unauthenticated Remote Command Execution
Vulnerability
A vulnerability in jshERP prior to commit 90c411a allows for unauthenticated remote command execution due to incorrect access control. The issue arises in the '/jshERP-boot/user/info' interface, where attackers can access sensitive user information by sending a crafted GET request. This vulnerability exploits a lack of proper permission filtering, enabling access to interfaces that should be restricted.
Impact
Exploitation of this vulnerability allows for unauthenticated remote command execution on the server where jshERP is hosted.
Reproduction
To reproduce this vulnerability, send a GET request to the '/jshERP-boot/user/info' interface, including a user ID parameter. The request will bypass access controls and return sensitive information about the specified user. This information can include details such as the user's role and password hash. If the password hash is obtained, it can be used to log in as that user, including administrative accounts, which have the ability to execute arbitrary code by deploying malicious plugins.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.