SpringBlade Improper Access Control Vulnerability in User Data Import Function

A vulnerability exists in SpringBlade version 4.5.0 due to incorrect access control in the 'importUser' function. This flaw allows attackers with low-level privileges to import sensitive user data arbitrarily. The issue arises because the function lacks proper permission checks, enabling unauthorized users to manipulate database entries, potentially leading to data corruption or the creation of illegitimate user accounts.

Impact

Exploitation of this vulnerability could result in unauthorized data manipulation within the application's database, including the potential creation of unauthorized user accounts.

Reproduction

To reproduce this vulnerability, a user with low-level privileges can call the 'importUser' API endpoint without the necessary authorization. The request can include an Excel file containing user data. The absence of permission checks will allow the imported data to be written directly to the database, bypassing any authorization requirements.

Remediation

Users are advised to update to SpringBlade version 4.8.0, which includes a new interface permission module to enhance system security.