Yeqifu Warehouse Improper Authorization Vulnerability in Role Management Component

An improper authorization vulnerability has been identified in the Yeqifu Warehouse application, specifically in the Role Management component. This issue affects the CRUD (Create, Read, Update, Delete) endpoints for role management, which are exposed to all authenticated users. The vulnerability allows attackers to delete important roles, create new privileged roles, or modify existing ones, thereby disrupting access control for multiple users. The issue is present in the latest commit prior to aaf29962ba407d22d991781de28796ee7b4670e4.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of role assignments, allowing for privilege escalation and disruption of normal operational functions.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges. Then, send a request to the 'deleteRole' endpoint, including the ID of a role to be deleted, such as an admin role. The request will be processed successfully, and the role will be removed from the system.