Yeqifu Warehouse Improper Authorization Vulnerability in Menu Management Component

An improper authorization vulnerability has been identified in Yeqifu Warehouse versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The issue resides in the Menu Management component, specifically within the MenuController.java file. The vulnerability affects the addMenu, updateMenu, and deleteMenu functions, allowing unauthorized users to manipulate menu items. This could disrupt the user interface by hiding essential functions or exposing administrative features to users without the necessary privileges. The vulnerability can be exploited remotely, and a proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized users to access and modify menu items, potentially disrupting the application's user interface and access controls. This could lead to unauthorized users gaining access to administrative functions or hiding critical features from legitimate users.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges. Then, send a request to the deleteMenu endpoint, including the ID of the menu item to be deleted. The request will be processed successfully, and the menu item will be removed. This can be verified by logging in as a super admin and checking that the item has been deleted.