YeQifu Warehouse Improper Authorization Vulnerability in Log Management Component

A vulnerability exists in YeQifu Warehouse versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4, specifically within the Log Info Handler component. The issue arises in the LoginfoController.java file, affecting the loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo functions. This vulnerability allows for improper authorization, enabling remote attackers to access or delete login audit logs. The lack of authorization checks could disrupt compliance and incident response processes, allowing malicious activities to be concealed.

Impact

Exploitation of this vulnerability could lead to unauthorized access to log data or the deletion of log entries, disrupting audit trails and potentially allowing malicious activities to be hidden from administrators.

Reproduction

To reproduce this vulnerability, send a POST request to the /loginfo/deleteLoginfo endpoint. Include a valid session cookie and the ID of the log entry to be deleted. The request will be processed without any authorization checks, allowing the log entry to be deleted.